Update: Practical recommendations - Webservers: CipherStrings match old CipherString...
authorGunnar Haslinger <gh.github@hitco.at>
Sat, 7 Nov 2015 15:10:42 +0000 (16:10 +0100)
committerGunnar Haslinger <gh.github@hitco.at>
Sat, 7 Nov 2015 15:10:42 +0000 (16:10 +0100)
src/configuration/Webservers/Apache/default-ssl
src/configuration/Webservers/Cherokee/cherokee.conf
src/configuration/Webservers/lighttpd/10-ssl-dh.conf
src/configuration/Webservers/lighttpd/10-ssl.conf
src/configuration/Webservers/nginx/default
src/configuration/Webservers/nginx/default-ec
src/configuration/Webservers/nginx/default-hsts
src/practical_settings/webserver.tex

index 2475f22..bbe4ce3 100644 (file)
        # At least use one Backup-Key and/or add whole CA, think of Cert-Updates!
        Header always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\"https://YOUR.REPORT.URL\""
 
-       SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
+       SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
 
        
        
index 9fd94c4..f997782 100644 (file)
@@ -52,7 +52,7 @@ vserver!1!rule!1!match = default
 vserver!1!ssl_certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
 vserver!1!ssl_certificate_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 vserver!1!ssl_cipher_server_preference = 1
-vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 vserver!1!ssl_compression = 0
 vserver!1!ssl_dh_length = 2048
 
index b1a64d6..3e3d804 100644 (file)
@@ -6,7 +6,7 @@ $SERVER["socket"] == "0.0.0.0:443" {
        ssl.use-sslv3 = "disable"
        ssl.pemfile = "/etc/lighttpd/server.pem"
 
-       ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
+       ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
        ssl.honor-cipher-order = "enable"
     # use group16 dh parameters
        ssl.dh-file = "/etc/lighttpd/ssl/dh4096.pem"
index 4a467fc..72850e6 100644 (file)
@@ -7,7 +7,7 @@ $SERVER["socket"] == "0.0.0.0:443" {
        ssl.pemfile = "/etc/lighttpd/server.pem"
        ssl.ca-file = "/etc/ssl/certs/server.crt"
 
-       ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
+       ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
        ssl.honor-cipher-order = "enable"
        setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000") # six months
        # use this only if all subdomains support HTTPS!
index 088c9c6..c48740d 100644 (file)
@@ -112,7 +112,7 @@ server {
 
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
-       ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
+       ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
        add_header Strict-Transport-Security max-age=15768000; # six months
        # use this only if all subdomains support HTTPS!
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
index eb172a2..a9c6d19 100644 (file)
@@ -112,7 +112,7 @@ server {
 
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
-       ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
+       ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
        add_header Strict-Transport-Security max-age=15768000; # six months
        # use this only if all subdomains support HTTPS!
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
index b6745ac..3ab4b61 100644 (file)
@@ -62,7 +62,7 @@ server {
 
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
-       ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
+       ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
        add_header Strict-Transport-Security max-age=15768000; # six months
        # use this only if all subdomains support HTTPS!
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
index 0c7ac80..a068626 100644 (file)
@@ -164,7 +164,7 @@ The configuration of the cherokee webserver is performed by an admin interface a
         \item \emph{Required SSL/TLS Values}: Fill in the correct paths for \emph{Certificate} and \emph{Certificate key}
         \item Advanced Options
         \begin{itemize*}
-            \item \emph{Ciphers}: \texttt{EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\newline EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:\newline+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:\newline!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA}
+            \item \emph{Ciphers}: \ttbox{\cipherStringB}
             \item \emph{Server Preference}: Prefer
             \item \emph{Compression}: Disabled
         \end{itemize*}