ach-master.git
4 years agoUpdate: Practical recommendations - Webservers: CipherStrings match old CipherString...
Gunnar Haslinger [Sat, 7 Nov 2015 15:10:42 +0000 (16:10 +0100)]
Update: Practical recommendations - Webservers: CipherStrings match old CipherString-B updated to match current CipherString-B

4 years agoMerge pull request #116 from jschlyter/haproxy_direct
Aaron Zauner [Sat, 7 Nov 2015 11:40:08 +0000 (12:40 +0100)]
Merge pull request #116 from jschlyter/haproxy_direct

add example for redirect from HTTP to HTTPS

4 years agoMerge pull request #115 from gunnarhaslinger/master
Aaron Zauner [Sat, 7 Nov 2015 11:34:09 +0000 (12:34 +0100)]
Merge pull request #115 from gunnarhaslinger/master

Dovecot: added options of newer Versions

4 years agoadd redirect from HTTP to HTTPS
Jakob Schlyter [Fri, 6 Nov 2015 08:01:47 +0000 (09:01 +0100)]
add redirect from HTTP to HTTPS

4 years agoDovecot: added ssl_dh_parameters_length, ssl_prefer_server_ciphers and Test using...
Gunnar Haslinger [Mon, 26 Oct 2015 18:33:53 +0000 (19:33 +0100)]
Dovecot: added ssl_dh_parameters_length, ssl_prefer_server_ciphers and Test using SSLyze

4 years agoMerge pull request #114 from dahlberg-fkie/master
Aaron Zauner [Thu, 22 Oct 2015 17:04:09 +0000 (19:04 +0200)]
Merge pull request #114 from dahlberg-fkie/master

Add unsorted/LibreSSL ciphers

4 years agoAdd unsorted/LibreSSL ciphers
David Dahlberg [Wed, 21 Oct 2015 08:41:23 +0000 (10:41 +0200)]
Add unsorted/LibreSSL ciphers

4 years agoMerge pull request #113 from gunnarhaslinger/master
Aaron Zauner [Fri, 16 Oct 2015 23:09:59 +0000 (01:09 +0200)]
Merge pull request #113 from gunnarhaslinger/master

HTTP Public Key Pinning (HPKP), added new theory section and updated Apache-Config.

4 years agoCorrected a copy+paste mistake
Gunnar Haslinger [Fri, 16 Oct 2015 21:55:32 +0000 (23:55 +0200)]
Corrected a copy+paste mistake

4 years agoHTTP Public Key Pinning (HPKP), added new theory section and updated Apache-Config.
Gunnar Haslinger [Fri, 16 Oct 2015 21:35:25 +0000 (23:35 +0200)]
HTTP Public Key Pinning (HPKP), added new theory section and updated Apache-Config.

4 years agoadded list of supported cipher suites of some CentOS/Debian versions
Gunnar Haslinger [Fri, 16 Oct 2015 18:23:17 +0000 (20:23 +0200)]
added list of supported cipher suites of some CentOS/Debian versions

4 years agoMerge pull request #112 from dahlberg-fkie/master
Aaron Zauner [Wed, 19 Aug 2015 23:07:43 +0000 (01:07 +0200)]
Merge pull request #112 from dahlberg-fkie/master

New introduction into mail server settings

4 years agoincorporated sebix comments on 6334a5b
David Dahlberg [Mon, 3 Aug 2015 07:10:19 +0000 (09:10 +0200)]
incorporated sebix comments on 6334a5b

4 years agoNew introduction into mail server settings
David Dahlberg [Wed, 29 Jul 2015 11:01:26 +0000 (13:01 +0200)]
New introduction into mail server settings

4 years agoMerge pull request #111 from 2001db8/ironport-update
Aaron Zauner [Thu, 18 Jun 2015 09:18:46 +0000 (11:18 +0200)]
Merge pull request #111 from 2001db8/ironport-update

Link to AsyncOS 9.5 Release Notes

4 years agoLink to AsyncOS 9.5 Release Notes
Jens [Thu, 18 Jun 2015 07:52:08 +0000 (09:52 +0200)]
Link to AsyncOS 9.5 Release Notes

Exchanged the link to a Cisco Tweet about the possibility of TLS 1.2
support in AsyncOS 9.5 with a link to the actual AsyncOS 9.5 Release
Notes.

4 years agoMerge pull request #106 from 2001db8/ironport_subsection
Aaron Zauner [Sun, 24 May 2015 20:24:58 +0000 (22:24 +0200)]
Merge pull request #106 from 2001db8/ironport_subsection

Cisco ESA/IronPort subsection

4 years agoMerge pull request #109 from rotanid/master
Aaron Zauner [Sun, 24 May 2015 15:13:09 +0000 (17:13 +0200)]
Merge pull request #109 from rotanid/master

correct OpenSSH version number

4 years agocorrect OpenSSH version number
Andreas Ziegler [Fri, 22 May 2015 21:19:38 +0000 (23:19 +0200)]
correct OpenSSH version number

4 years agoMinor changes and screenshots
Jens Roesen [Fri, 22 May 2015 08:57:17 +0000 (10:57 +0200)]
Minor changes and screenshots

- minor changes in the descriptions
- added screenshots for all steps
- added FloatBarrier (see PR #107)

4 years agoMerge pull request #107 from arwarw/floatbarriers
Aaron Zauner [Thu, 14 May 2015 17:08:32 +0000 (19:08 +0200)]
Merge pull request #107 from arwarw/floatbarriers

Constrain figure positions by FloatBarrier

4 years agoMerge pull request #108 from arwarw/kerberos-mit-db-enctype-upgrade
Aaron Zauner [Thu, 14 May 2015 17:08:14 +0000 (19:08 +0200)]
Merge pull request #108 from arwarw/kerberos-mit-db-enctype-upgrade

Kerberos: How to switch an existing database to a new enctype

4 years agoKerberos: How to switch an existing database to a new enctype
Alexander Wuerstlein [Wed, 13 May 2015 14:28:42 +0000 (16:28 +0200)]
Kerberos: How to switch an existing database to a new enctype

4 years agoadd \FloatBarrier to constrain screenshot figures to their respective sections
Alexander Wuerstlein [Wed, 13 May 2015 14:48:13 +0000 (16:48 +0200)]
add \FloatBarrier to constrain screenshot figures to their respective sections

4 years agospell fix - s/stampling/stapling/
Aaron Zauner [Sat, 9 May 2015 19:14:49 +0000 (21:14 +0200)]
spell fix - s/stampling/stapling/

4 years agoMerge pull request #105 from schue30/master
Aaron Zauner [Sat, 9 May 2015 19:10:32 +0000 (21:10 +0200)]
Merge pull request #105 from schue30/master

Add HAProxy configuration

4 years agoMinor edits... again
Jens Roesen [Sat, 9 May 2015 17:15:44 +0000 (19:15 +0200)]
Minor edits... again

4 years agoAdd OCSP stapling, HPKP and NPN.
Mathias Schüpany [Sat, 9 May 2015 16:14:51 +0000 (18:14 +0200)]
Add OCSP stapling, HPKP and NPN.

4 years agoMinor changes
Jens Roesen [Sat, 9 May 2015 15:24:06 +0000 (17:24 +0200)]
Minor changes

4 years agoMinor edits
Jens Roesen [Sat, 9 May 2015 15:08:22 +0000 (17:08 +0200)]
Minor edits

4 years agoAdded name to acknowledgements
Jens Roesen [Sat, 9 May 2015 14:45:06 +0000 (16:45 +0200)]
Added name to acknowledgements

4 years agoAdded IronPort Subsection
Jens Roesen [Sat, 9 May 2015 14:42:45 +0000 (16:42 +0200)]
Added IronPort Subsection

4 years agoMerge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
Aaron Kaplan [Fri, 8 May 2015 18:07:48 +0000 (20:07 +0200)]
Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening

4 years agominor corrections
Aaron Kaplan [Fri, 8 May 2015 18:06:50 +0000 (20:06 +0200)]
minor corrections

4 years agoadd HAProxy configuration
Mathias Schuepany [Fri, 8 May 2015 17:05:06 +0000 (19:05 +0200)]
add HAProxy configuration

4 years agofix latex build (escape underscores in \emph)
Adi Kriegisch [Sun, 3 May 2015 11:07:05 +0000 (13:07 +0200)]
fix latex build (escape underscores in \emph)

4 years agoMerge pull request #100 from FireFart/changes
Aaron Zauner [Thu, 9 Apr 2015 07:41:12 +0000 (09:41 +0200)]
Merge pull request #100 from FireFart/changes

remove $host variable, add some tested versions

4 years agoMerge pull request #101 from sebix/tested-on-trusty
Aaron Zauner [Tue, 7 Apr 2015 09:47:45 +0000 (11:47 +0200)]
Merge pull request #101 from sebix/tested-on-trusty

tested exim, postfix, dovecot and lighttpd with ubuntu 14.04

4 years agoMerge pull request #103 from sebix/uncovered-sw
Aaron Zauner [Tue, 7 Apr 2015 09:47:04 +0000 (11:47 +0200)]
Merge pull request #103 from sebix/uncovered-sw

Uncovered software and more for further research

4 years agotested with ubuntu 14.04
Sebastian Wagner [Sun, 5 Apr 2015 19:28:54 +0000 (21:28 +0200)]
tested with ubuntu 14.04

4 years agoMerge pull request #104 from sebix/explain-postfix
Aaron Zauner [Tue, 7 Apr 2015 09:38:11 +0000 (11:38 +0200)]
Merge pull request #104 from sebix/explain-postfix

Explain postfix settings for s2s & s2c connections

4 years agoMerge pull request #102 from sebix/ignoretmp
Aaron Zauner [Tue, 7 Apr 2015 09:33:09 +0000 (11:33 +0200)]
Merge pull request #102 from sebix/ignoretmp

gitignore: ignore tempoary files *~

4 years agoExplain postfix settings for s2s & s2c connections
Sebastian Wagner [Mon, 6 Apr 2015 15:35:25 +0000 (17:35 +0200)]
Explain postfix settings for s2s & s2c connections

As discussed in BetterCrypto/Applied-Crypto-Hardening#97

4 years agoUncovered software and more for further research
Sebastian Wagner [Sun, 5 Apr 2015 20:15:12 +0000 (22:15 +0200)]
Uncovered software and more for further research

Added some applications to the list of uncovered software, mainly inspired by messages on the mailinglist
Removed some applications from the same list which are definitely not in the scope of this paper
And added a new section of uncovered software, with a short note on the reason

4 years agogitignore: ignore tempoary files *~
Sebastian Wagner [Sun, 5 Apr 2015 20:00:56 +0000 (22:00 +0200)]
gitignore: ignore tempoary files *~

4 years agofix undefined reference J_BLACKHAT
Christian Mehlmauer [Sun, 5 Apr 2015 08:09:21 +0000 (10:09 +0200)]
fix undefined reference J_BLACKHAT

4 years agochange nginx config to $server_name
Christian Mehlmauer [Sat, 4 Apr 2015 20:37:35 +0000 (22:37 +0200)]
change nginx config to $server_name

4 years agoDont use the $host variable in NGINX, it's user supplied data (HOST header)
Christian Mehlmauer [Mon, 30 Mar 2015 15:12:23 +0000 (17:12 +0200)]
Dont use the $host variable in NGINX, it's user supplied data (HOST header)

4 years agoadd OpenSSH tested version
Christian Mehlmauer [Mon, 30 Mar 2015 15:06:19 +0000 (17:06 +0200)]
add OpenSSH tested version

4 years agoIf there is a red line under it, check the speling.
Pepi Zawodsky [Mon, 30 Mar 2015 00:48:26 +0000 (02:48 +0200)]
If there is a red line under it, check the speling.

4 years agoadd picture back, but small
Aaron Kaplan [Sun, 29 Mar 2015 20:48:10 +0000 (22:48 +0200)]
add picture back, but small

4 years agoMerge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
Aaron Kaplan [Sun, 29 Mar 2015 20:45:12 +0000 (22:45 +0200)]
Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening

4 years agoRevert "fix image"
Aaron Kaplan [Sun, 29 Mar 2015 20:44:56 +0000 (22:44 +0200)]
Revert "fix image"
Take Pepi's version

This reverts commit 05faee9d935736df4ebb9b03000eea99a1847861.

4 years agofix image
Aaron Kaplan [Sun, 29 Mar 2015 20:44:41 +0000 (22:44 +0200)]
fix image

4 years agoRemoved Klaus Landefeld picture. Corrected Logo Link for cover slide.
Pepi Zawodsky [Sun, 29 Mar 2015 20:41:35 +0000 (22:41 +0200)]
Removed Klaus Landefeld picture. Corrected Logo Link for cover slide.

4 years agooops
Aaron Kaplan [Sun, 29 Mar 2015 20:37:01 +0000 (22:37 +0200)]
oops

4 years agoMerge branch 'master' of github:BetterCrypto/Applied-Crypto-Hardening
Pepi Zawodsky [Sun, 29 Mar 2015 20:35:56 +0000 (22:35 +0200)]
Merge branch 'master' of github:BetterCrypto/Applied-Crypto-Hardening

4 years agoAdded Klaus Landefeld quote about End-to-End crypto.
Pepi Zawodsky [Sun, 29 Mar 2015 20:35:50 +0000 (22:35 +0200)]
Added Klaus Landefeld quote about End-to-End crypto.

4 years agoadd brainstorming slide
Aaron Kaplan [Sun, 29 Mar 2015 20:35:06 +0000 (22:35 +0200)]
add brainstorming slide

4 years agoclarify DANE
Aaron Kaplan [Sun, 29 Mar 2015 20:21:49 +0000 (22:21 +0200)]
clarify DANE

4 years agoMerge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
Aaron Kaplan [Sun, 29 Mar 2015 20:18:44 +0000 (22:18 +0200)]
Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening

4 years agoremove some slides at the end
Aaron Kaplan [Sun, 29 Mar 2015 20:18:22 +0000 (22:18 +0200)]
remove some slides at the end

4 years agoRecommend OCSP stapling
Pepi Zawodsky [Sun, 29 Mar 2015 20:17:00 +0000 (22:17 +0200)]
Recommend OCSP stapling

4 years agoMerge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
Aaron Kaplan [Sun, 29 Mar 2015 20:14:00 +0000 (22:14 +0200)]
Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening

4 years agoadd sslyze & screenshots
Aaron Kaplan [Sun, 29 Mar 2015 20:13:48 +0000 (22:13 +0200)]
add sslyze & screenshots

4 years agoAdded VM recommendation for RNGs and caveat for cipher strings.
Pepi Zawodsky [Sun, 29 Mar 2015 20:11:46 +0000 (22:11 +0200)]
Added VM recommendation for RNGs and caveat for cipher strings.

4 years agoless defensive status statement.
Pepi Zawodsky [Sun, 29 Mar 2015 20:02:31 +0000 (22:02 +0200)]
less defensive status statement.

4 years agoChanged filename of SSLLas screenshot so LaTeX will not be confused by extension...
Pepi Zawodsky [Sun, 29 Mar 2015 19:57:00 +0000 (21:57 +0200)]
Changed filename of SSLLas screenshot so LaTeX will not be confused by extension parsing.

4 years agoMerge branch 'master' of github:BetterCrypto/Applied-Crypto-Hardening
Pepi Zawodsky [Sun, 29 Mar 2015 19:47:55 +0000 (21:47 +0200)]
Merge branch 'master' of github:BetterCrypto/Applied-Crypto-Hardening

4 years agoUpdated Screenshot for SSLLabs. Disable RC4.
Pepi Zawodsky [Sun, 29 Mar 2015 19:47:48 +0000 (21:47 +0200)]
Updated Screenshot for SSLLabs. Disable RC4.

4 years agoMerge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
Aaron Kaplan [Sun, 29 Mar 2015 19:45:08 +0000 (21:45 +0200)]
Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening

4 years agoadd slides with questions for organisations how they can
Aaron Kaplan [Sun, 29 Mar 2015 19:44:11 +0000 (21:44 +0200)]
add slides with questions for organisations how they can
achieve crypto deployment agility

4 years agoAdded new screenshot for SSLLabs test for bettercrypto.org
Pepi Zawodsky [Sun, 29 Mar 2015 19:42:32 +0000 (21:42 +0200)]
Added new screenshot for SSLLabs test for bettercrypto.org

4 years agoChanged date format to ISO8601
Pepi Zawodsky [Sun, 29 Mar 2015 19:23:07 +0000 (21:23 +0200)]
Changed date format to ISO8601

4 years agoadd license
Aaron Kaplan [Sun, 29 Mar 2015 19:00:45 +0000 (21:00 +0200)]
add license

4 years agoinitial slide deck for trainings
Aaron Kaplan [Sun, 29 Mar 2015 18:58:38 +0000 (20:58 +0200)]
initial slide deck for trainings

4 years agoadd comment on openvpn duplexing
Aaron Zauner [Mon, 16 Mar 2015 16:08:46 +0000 (17:08 +0100)]
add comment on openvpn duplexing

4 years agoRevert "comment-out OpenVPN, see GitHub #91"
Aaron Zauner [Mon, 16 Mar 2015 15:54:20 +0000 (16:54 +0100)]
Revert "comment-out OpenVPN, see GitHub #91"

This reverts commit 7b6fd17814acdbb2304ca3e84e99b02fe919abe6.

4 years agoMerge pull request #99 from shotty1/master
Aaron Zauner [Sat, 7 Mar 2015 16:25:15 +0000 (17:25 +0100)]
Merge pull request #99 from shotty1/master

Added -sha256 for generating keys

4 years agoAdded -sha256 for generating keys
shotty1 [Sat, 7 Mar 2015 11:24:47 +0000 (12:24 +0100)]
Added -sha256 for generating keys

Please check if this is OK. It improved the ssllabs results for me, removing the warning about SHA1.

4 years agocomment-out OpenVPN, see GitHub #91
Aaron Zauner [Wed, 18 Feb 2015 18:45:16 +0000 (19:45 +0100)]
comment-out OpenVPN, see GitHub #91

4 years agoMerge pull request #95 from sebix/cherokee-webserver
Aaron Zauner [Wed, 18 Feb 2015 18:37:43 +0000 (19:37 +0100)]
Merge pull request #95 from sebix/cherokee-webserver

Adding section for cherokee webserver

4 years agoMerge pull request #94 from sebix/stunnel
Aaron Zauner [Wed, 18 Feb 2015 18:37:19 +0000 (19:37 +0100)]
Merge pull request #94 from sebix/stunnel

Adding stunnel section to proxies

4 years agoMerge pull request #96 from BetterCrypto/revert-80-master
Aaron Zauner [Wed, 18 Feb 2015 18:34:40 +0000 (19:34 +0100)]
Merge pull request #96 from BetterCrypto/revert-80-master

Revert "Adding prosody"

4 years agoRevert "Adding prosody"
Aaron Zauner [Wed, 18 Feb 2015 18:34:30 +0000 (19:34 +0100)]
Revert "Adding prosody"

4 years agoAdding section for cherokee webserver
Sebastian Wagner [Wed, 18 Feb 2015 11:12:42 +0000 (12:12 +0100)]
Adding section for cherokee webserver

4 years agoAdding stunnel section to proxies
Sebastian Wagner [Fri, 13 Feb 2015 09:42:23 +0000 (10:42 +0100)]
Adding stunnel section to proxies

4 years agoMerge pull request #92 from sebix/master
Aaron Zauner [Fri, 13 Feb 2015 06:49:29 +0000 (07:49 +0100)]
Merge pull request #92 from sebix/master

Add certificate chain files to configs of apache and lighttpd

4 years agoMerge pull request #93 from 2001db8/master
Aaron Zauner [Fri, 13 Feb 2015 06:49:10 +0000 (07:49 +0100)]
Merge pull request #93 from 2001db8/master

Corrected the link for the SSL Labs Best Practices Guide

4 years agoCorrected link for SSL Labs Best Practices Guide
Jens Roesen [Fri, 6 Feb 2015 14:32:25 +0000 (15:32 +0100)]
Corrected link for SSL Labs Best Practices Guide

Link was 404. Changed it for a working one pointing to version 1.3 of
the guide.

4 years agoMerge pull request #83 from DigNative/pdfmapfile
Aaron Zauner [Sat, 24 Jan 2015 23:06:57 +0000 (00:06 +0100)]
Merge pull request #83 from DigNative/pdfmapfile

Modifying `\pdfmapfile' modifiers to not issue warnings on duplicate font map entries anymore.

4 years agoMerge pull request #85 from DigNative/neboltai-jpg
Aaron Zauner [Sat, 24 Jan 2015 23:06:47 +0000 (00:06 +0100)]
Merge pull request #85 from DigNative/neboltai-jpg

File `neboltai.png` is actually a JPG file.

4 years agoMerge pull request #84 from DigNative/ignore-configfiles
Aaron Zauner [Sat, 24 Jan 2015 23:04:59 +0000 (00:04 +0100)]
Merge pull request #84 from DigNative/ignore-configfiles

Adding `/src/configfiles.txt` to ignore list.

4 years agoAdd cert chains for apache and lighttpd
Sebastian Wagner [Sat, 24 Jan 2015 13:00:08 +0000 (14:00 +0100)]
Add cert chains for apache and lighttpd

4 years agoMerge pull request #87 from julianladisch/Header-always-add
Aaron Zauner [Fri, 12 Dec 2014 20:25:54 +0000 (21:25 +0100)]
Merge pull request #87 from julianladisch/Header-always-add

HSTS Apache: Header always add/set

4 years agoHSTS Apache: Header always add/set
julianladisch [Fri, 12 Dec 2014 15:46:21 +0000 (16:46 +0100)]
HSTS Apache: Header always add/set

Add "always" as Redirections and "Forbidden" pages should also get HSTS:
https://httpd.apache.org/docs/2.4/mod/mod_headers.html

Replace "add" by "set" to prevent adding a second HSTS field: "If an STS
header field is included, the HSTS Host MUST include only one such
header field." https://tools.ietf.org/html/rfc6797#section-7.1

4 years agoMerge pull request #86 from julianladisch/Header-always-set
Aaron Zauner [Fri, 12 Dec 2014 15:02:31 +0000 (16:02 +0100)]
Merge pull request #86 from julianladisch/Header-always-set

HSTS Apache: Header always set

4 years agoHSTS Apache: Header always set
julianladisch [Fri, 12 Dec 2014 14:58:02 +0000 (15:58 +0100)]
HSTS Apache: Header always set

Redirections and "Forbidden" pages should also get HSTS.

5 years agofixed path for prosody (#81)
Aaron Zauner [Sun, 16 Nov 2014 15:34:57 +0000 (16:34 +0100)]
fixed path for prosody (#81)

5 years agopath was wrong
Aaron Kaplan [Mon, 10 Nov 2014 19:50:41 +0000 (20:50 +0100)]
path was wrong