\rule{\linewidth}{1pt}%
}
-\newcommand*{\paragraphDiamond}[1]{\paragraph{#1} \hspace{-6pt} \ensuremath{\diamond} }
-
%%% CIPHERSTRING
\usepackage{seqsplit} % Use Sequence split. Basically it inserts between every character pair a box with zero width to allow linebreaks everywhere. Better solution wanted, but is there any better?
\CatchFileDef{\cipherStringB}{common/cipherStringB.tex}{\endlinechar=-1 }%
\subsubsection{Settings}
-\paragraphDiamond{ssl\_cipherspecs}
+\paragraph{ssl\_cipherspecs:}
In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
\begin{lstlisting}
# recommended and supported ciphersuites
\end{itemize*}
\subsubsection{Settings}
-\paragraphDiamond{imapd.conf}
+\paragraph{imapd.conf:}
To activate SSL/TLS configure your certificate with
\begin{lstlisting}
tls_cert_file: .../cert.pem
\end{lstlisting}
This way MUAs can only authenticate after STARTTLS if you only provide plaintext and SASL PLAIN login methods. Therefore providing CRAM-MD5 or DIGEST-MD5 methods is not recommended.
-\paragraphDiamond{cyrus.conf}
+\paragraph{cyrus.conf:}
To support POP3/IMAP on ports 110/143 with STARTTLS add
\begin{lstlisting}
imap cmd="imapd" listen="imap" prefork=3
%% smtpd_tls_dh1024_param_file = /etc/postfix/dh_param_1024.pem
%% \end{lstlisting}
-\paragraphDiamond{MX and SMTP client configuration}
+\paragraph{MX and SMTP client configuration:}
As discussed in section \ref{subsection:smtp_general}, because of opportunistic encryption we do not
restrict the list of ciphers. There are still some steps needed to
enable TLS, all in \verb|main.cf|:
\url{http://exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html}
first.
-\paragraphDiamond{MSA mode (submission)}
+\paragraph{MSA mode (submission):}
In the main config section of Exim add:
\begin{lstlisting}
to get even more TLS information logged.
-\paragraphDiamond{server mode (incoming)}
+\paragraph{server mode (incoming):}
In the main config section of Exim add:
\begin{lstlisting}
\end{lstlisting}
to get even more TLS information logged.
-\paragraphDiamond{client mode (outgoing)}
+\paragraph{client mode (outgoing):}
Exim uses opportunistic encryption in the SMTP transport by default.
Client mode settings have to be done in the configuration section of the smtp transport (driver = smtp).
% Exim Maintainers do not recommend ciphers. We shouldn't do so, too.
Do not limit ciphers without a very good reason. In the worst case you end up without encryption at all instead of some weak encryption. Please consult the Exim documentation if you really need to define ciphers.
-\paragraphDiamond{OpenSSL}
+\paragraph{OpenSSL:}
Exim already disables SSLv2 by default. We recommend to add
\begin{lstlisting}
openssl_options = +all +no_sslv2 +no_compression +cipher_server_preference
If you want to set your own DH parameters please read the TLS documentation of exim.
-\paragraphDiamond{GnuTLS}
+\paragraph{GnuTLS:}
GnuTLS is different in only some respects to OpenSSL:
\begin{itemize*}
\item tls\_require\_ciphers needs a GnuTLS priority string instead of a cipher list. It is recommended to use the defaults by not defining this option. It highly depends on the version of GnuTLS used. Therefore it is not advisable to change the defaults.
\item There is no option like openssl\_options
\end{itemize*}
-\paragraphDiamond{Exim string expansion}
+\paragraph{Exim string expansion:}
Note that most of the options accept expansion strings. This way you can e.g. set cipher lists or STARTTLS advertisement conditionally. Please follow the link to the official Exim documentation to get more information.
-\paragraphDiamond{Limitations}
+\paragraph{Limitations:}
Exim currently (4.82) does not support elliptic curves with OpenSSL. This means that ECDHE is not used even if defined in your cipher list.
There already is a working patch to provide support:
\url{http://bugs.exim.org/show_bug.cgi?id=1397}
\subsubsection{Settings}
-\paragraphDiamond{Assumptions}
+\paragraph{Assumptions:}
We assume the use of IKE (v1 or v2) and ESP for this document.
-\paragraphDiamond{Authentication}
+\paragraph{Authentication:}
IPSEC authentication should optimally be performed via RSA signatures,
with a key size of 2048 bits or more. Configuring only the trusted CA
that issued the peer certificate provides for additional protection
\label{tab:IPSEC_psk_len}
\end{table}
-\paragraphDiamond{Cryptographic Suites}
+\paragraph{Cryptographic Suites:}
IPSEC Cryptographic Suites are pre-defined settings for all the items
of a configuration; they try to provide a balanced security level and
make setting up VPNs easier.
\label{tab:IPSEC_suites}
\end{table}
-\paragraphDiamond{IKE or Phase 1}
+\paragraph{IKE or Phase 1:}
Alternatively to the pre-defined cipher suites, you can define your
own, as described in this and the next section.
\label{tab:IPSEC_ph1_params}
\end{table}
-\paragraphDiamond{ESP or Phase 2}
+\paragraph{ESP or Phase 2:}
ESP or Phase 2 is where the actual data are protected; recommended
parameters are shown in table \ref{tab:IPSEC_ph2_params}.
\subsubsection{Settings}
-\paragraphDiamond{General}
+\paragraph{General:}
We describe a configuration with certificate-based authentication; see
below for details on the \verb|easyrsa| tool to help you with that.
auth SHA384
\end{lstlisting}
-\paragraphDiamond{Client Configuration}
+\paragraph{Client Configuration:}
Client and server have to use compatible configurations, otherwise they can't communicate.
The \verb|cipher| and \verb|auth| directives have to be identical.
\subsubsection{Additional settings}
-\paragraphDiamond{Key renegotiation interval}
+\paragraph{Key renegotiation interval:}
The default for renegotiation of encryption keys is one hour
(\verb|reneg-sec 3600|). If you
transfer huge amounts of data over your tunnel, you might consider
configuring a shorter interval, or switch to a byte- or packet-based
interval (\verb|reneg-bytes| or \verb|reneg-pkts|).
-\paragraphDiamond{Fixing ``easy-rsa''}
+\paragraph{Fixing ``easy-rsa'':}
When installing an OpenVPN server instance, you are probably using
\emph{easy-rsa} to generate keys and certificates.
The file \verb|vars| in the easyrsa installation directory has a
inadequate for long term protection.
\end{itemize*}
-\paragraphDiamond{Special remark on 3DES}
+\paragraph{Special remark on 3DES:}
We want to note that 3DES theoretically has 168 bits of security, however based
on the NIST Special Publication 800-57
\footnote{\url{http://csrc.nist.gov/publications/PubsSPs.html\#800-57-part1},
git.bettercrypto.org / ach-master.git / commitdiff