From f806c8e432589b08273e0d54ecfe763205ab5d37 Mon Sep 17 00:00:00 2001
From: Gunnar Haslinger <gh.github@hitco.at>
Date: Sat, 7 Nov 2015 16:10:42 +0100
Subject: [PATCH] Update: Practical recommendations - Webservers: CipherStrings
 match old CipherString-B updated to match current CipherString-B

---
 src/configuration/Webservers/Apache/default-ssl      | 2 +-
 src/configuration/Webservers/Cherokee/cherokee.conf  | 2 +-
 src/configuration/Webservers/lighttpd/10-ssl-dh.conf | 2 +-
 src/configuration/Webservers/lighttpd/10-ssl.conf    | 2 +-
 src/configuration/Webservers/nginx/default           | 2 +-
 src/configuration/Webservers/nginx/default-ec        | 2 +-
 src/configuration/Webservers/nginx/default-hsts      | 2 +-
 src/practical_settings/webserver.tex                 | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/configuration/Webservers/Apache/default-ssl b/src/configuration/Webservers/Apache/default-ssl
index 2475f22..bbe4ce3 100644
--- a/src/configuration/Webservers/Apache/default-ssl
+++ b/src/configuration/Webservers/Apache/default-ssl
@@ -173,7 +173,7 @@
 	# At least use one Backup-Key and/or add whole CA, think of Cert-Updates!
 	Header always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\"https://YOUR.REPORT.URL\""
 
-	SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
+	SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
 
 	
 	
diff --git a/src/configuration/Webservers/Cherokee/cherokee.conf b/src/configuration/Webservers/Cherokee/cherokee.conf
index 9fd94c4..f997782 100644
--- a/src/configuration/Webservers/Cherokee/cherokee.conf
+++ b/src/configuration/Webservers/Cherokee/cherokee.conf
@@ -52,7 +52,7 @@ vserver!1!rule!1!match = default
 vserver!1!ssl_certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
 vserver!1!ssl_certificate_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 vserver!1!ssl_cipher_server_preference = 1
-vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 vserver!1!ssl_compression = 0
 vserver!1!ssl_dh_length = 2048
 
diff --git a/src/configuration/Webservers/lighttpd/10-ssl-dh.conf b/src/configuration/Webservers/lighttpd/10-ssl-dh.conf
index b1a64d6..3e3d804 100644
--- a/src/configuration/Webservers/lighttpd/10-ssl-dh.conf
+++ b/src/configuration/Webservers/lighttpd/10-ssl-dh.conf
@@ -6,7 +6,7 @@ $SERVER["socket"] == "0.0.0.0:443" {
 	ssl.use-sslv3 = "disable"
 	ssl.pemfile = "/etc/lighttpd/server.pem"
 
-	ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
+	ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
 	ssl.honor-cipher-order = "enable"
     # use group16 dh parameters
 	ssl.dh-file = "/etc/lighttpd/ssl/dh4096.pem"
diff --git a/src/configuration/Webservers/lighttpd/10-ssl.conf b/src/configuration/Webservers/lighttpd/10-ssl.conf
index 4a467fc..72850e6 100644
--- a/src/configuration/Webservers/lighttpd/10-ssl.conf
+++ b/src/configuration/Webservers/lighttpd/10-ssl.conf
@@ -7,7 +7,7 @@ $SERVER["socket"] == "0.0.0.0:443" {
 	ssl.pemfile = "/etc/lighttpd/server.pem"
 	ssl.ca-file = "/etc/ssl/certs/server.crt"
 
-	ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
+	ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
 	ssl.honor-cipher-order = "enable"
 	setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000") # six months
 	# use this only if all subdomains support HTTPS!
diff --git a/src/configuration/Webservers/nginx/default b/src/configuration/Webservers/nginx/default
index 088c9c6..c48740d 100644
--- a/src/configuration/Webservers/nginx/default
+++ b/src/configuration/Webservers/nginx/default
@@ -112,7 +112,7 @@ server {
 
 	ssl_prefer_server_ciphers on;
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
-	ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
+	ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
 	add_header Strict-Transport-Security max-age=15768000; # six months
 	# use this only if all subdomains support HTTPS!
 	# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
diff --git a/src/configuration/Webservers/nginx/default-ec b/src/configuration/Webservers/nginx/default-ec
index eb172a2..a9c6d19 100644
--- a/src/configuration/Webservers/nginx/default-ec
+++ b/src/configuration/Webservers/nginx/default-ec
@@ -112,7 +112,7 @@ server {
 
 	ssl_prefer_server_ciphers on;
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
-	ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
+	ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
 	add_header Strict-Transport-Security max-age=15768000; # six months
 	# use this only if all subdomains support HTTPS!
 	# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
diff --git a/src/configuration/Webservers/nginx/default-hsts b/src/configuration/Webservers/nginx/default-hsts
index b6745ac..3ab4b61 100644
--- a/src/configuration/Webservers/nginx/default-hsts
+++ b/src/configuration/Webservers/nginx/default-hsts
@@ -62,7 +62,7 @@ server {
 
 	ssl_prefer_server_ciphers on;
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
-	ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
+	ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
 	add_header Strict-Transport-Security max-age=15768000; # six months
 	# use this only if all subdomains support HTTPS!
 	# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
diff --git a/src/practical_settings/webserver.tex b/src/practical_settings/webserver.tex
index 0c7ac80..a068626 100644
--- a/src/practical_settings/webserver.tex
+++ b/src/practical_settings/webserver.tex
@@ -164,7 +164,7 @@ The configuration of the cherokee webserver is performed by an admin interface a
         \item \emph{Required SSL/TLS Values}: Fill in the correct paths for \emph{Certificate} and \emph{Certificate key}
         \item Advanced Options
         \begin{itemize*}
-            \item \emph{Ciphers}: \texttt{EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\newline EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:\newline+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:\newline!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA}
+            \item \emph{Ciphers}: \ttbox{\cipherStringB}
             \item \emph{Server Preference}: Prefer
             \item \emph{Compression}: Disabled
         \end{itemize*}
-- 
2.20.1