Merge branch 'master' of https://git.bettercrypto.org/ach-master
authorAaron Kaplan <aaron@lo-res.org>
Mon, 16 Dec 2013 20:45:03 +0000 (21:45 +0100)
committerAaron Kaplan <aaron@lo-res.org>
Mon, 16 Dec 2013 20:45:03 +0000 (21:45 +0100)
src/.gitignore
src/perlify.pl
src/practical_settings/DBs.tex

index da1e51a..5a2230a 100644 (file)
@@ -12,3 +12,6 @@ applied-crypto-hardening.markdown
 applied-crypto-hardening/
 gitHeadInfo.gin
 old/*
+practical_settings/*_generated.tex
+cipher_suites/*_generated.tex
+*_generated.tex
index ffaf436..8228fa4 100755 (executable)
@@ -1,9 +1,10 @@
 #!/usr/bin/env perl
 
 use strict;
-
+use File::Basename;
 
 my $debug=1;
+my @exclude=('DH.tex', 'ECC.tex', 'LATER.tex', 'PKIs.tex', 'RNGs.tex', 'abstract.tex', 'acknowledgements.tex', 'applied-crypto-hardening.tex', 'bib.tex', 'cipher_suites.tex', 'disclaimer.tex', 'further_research.tex', 'howtoread.tex', 'keylengths.tex', 'links.tex', 'methods.tex', 'motivation.tex', 'practical_settings.tex', 'reviewers.tex', 'scope.tex', 'ssllibs.tex', 'suggested_reading.tex', 'template.tex', 'tools.tex');
 
 my $cipherStrB=`cat cipherStringB.txt`;
 chomp $cipherStrB;
@@ -14,10 +15,11 @@ my $f;
 foreach  $f ( @files)  {
        chomp $f;
        $f =~ /(.*)\.tex/;
+       my $fbasename = basename($f);
        my $ftex = "$1_generated.tex";
 
        my $rc=` grep -q "\@\@\@CIPHERSTRINGB\@\@\@" $f`;
-       if ($rc == 0) {
+       if ($rc eq 0 and not (/$fbasename/ ~~ @exclude)) {
 
                print "file = $f\n" if $debug;
                print "ftex = $ftex\n" if $debug;
index 06c5c83..cebdb17 100644 (file)
@@ -1,9 +1,15 @@
-
 %%\subsection{Database Systems}
 % This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
 
 \subsubsection{Oracle}
-\todo{write this}
+\item[Tested with Version:] not tested
+
+\item[References:] (German)
+{\small \url{www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}}
+
+Please read the following pages about SSL and ciphersuites:\\
+p. 129 -Req 396 and Req 397 \\
+
 
 \subsubsection{SQL Server}
 \todo{write this}
@@ -53,15 +59,50 @@ show variables like '%ssl%';
 \end{description}
 
 
-
-
-
-
 \subsubsection{DB2}
-\todo{write this}
+\begin{description}
+\item[Tested with Version:] not tested
 
+\item[References:]
+{\small \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.sec.doc%2Fdoc%2Fc0053544.html}}
 
 
+\paragraph*{ssl_cipherspecs}\mbox{}\\
+In the link above the whole SSL-Configuration is in-depth described. The following command shows only the recommended ciphersuites.
+\begin{lstlisting}[breaklines]
+% it's out of scope to describe the whole SSL procedure
+% # fully qualified path of the key database file
+%db2 update dbm cfg using SSL_SVR_KEYDB /home/dba/sqllib/security/keystore/key.kdb
+%
+%# fully qualified path of the stash file
+%db2 update dbm cfg using SSL_SVR_STASH /home/dba/sqllib/security/keystore/mydbserver.sth
+%
+%# label of the digital certificate of the server
+%db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
+%
+# recommended and supported ciphersuites 
+
+db2 update dbm cfg using SSL_CIPHERSPECS 
+TLS_RSA_WITH_AES_256_CBC_SHA256,
+TLS_RSA_WITH_AES_128_GCM_SHA256,
+TLS_RSA_WITH_AES_128_CBC_SHA256,
+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+TLS_RSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+TLS_RSA_WITH_AES_256_CBC_SHA,
+TLS_RSA_WITH_AES_128_CBC_SHA,
+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+
+\end{lstlisting}
 
 
 \subsubsection{Postgresql}
@@ -107,8 +148,3 @@ psql "sslmode=require host=postgres-server dbname=database" your-username
 
 \end{description}
 
-
-
-
-\subsubsection{Informix}
-\todo{write this}