From f806c8e432589b08273e0d54ecfe763205ab5d37 Mon Sep 17 00:00:00 2001 From: Gunnar Haslinger Date: Sat, 7 Nov 2015 16:10:42 +0100 Subject: [PATCH] Update: Practical recommendations - Webservers: CipherStrings match old CipherString-B updated to match current CipherString-B --- src/configuration/Webservers/Apache/default-ssl | 2 +- src/configuration/Webservers/Cherokee/cherokee.conf | 2 +- src/configuration/Webservers/lighttpd/10-ssl-dh.conf | 2 +- src/configuration/Webservers/lighttpd/10-ssl.conf | 2 +- src/configuration/Webservers/nginx/default | 2 +- src/configuration/Webservers/nginx/default-ec | 2 +- src/configuration/Webservers/nginx/default-hsts | 2 +- src/practical_settings/webserver.tex | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/configuration/Webservers/Apache/default-ssl b/src/configuration/Webservers/Apache/default-ssl index 2475f22..bbe4ce3 100644 --- a/src/configuration/Webservers/Apache/default-ssl +++ b/src/configuration/Webservers/Apache/default-ssl @@ -173,7 +173,7 @@ # At least use one Backup-Key and/or add whole CA, think of Cert-Updates! Header always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\"https://YOUR.REPORT.URL\"" - SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA' + SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA' diff --git a/src/configuration/Webservers/Cherokee/cherokee.conf b/src/configuration/Webservers/Cherokee/cherokee.conf index 9fd94c4..f997782 100644 --- a/src/configuration/Webservers/Cherokee/cherokee.conf +++ b/src/configuration/Webservers/Cherokee/cherokee.conf @@ -52,7 +52,7 @@ vserver!1!rule!1!match = default vserver!1!ssl_certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem vserver!1!ssl_certificate_key_file = /etc/ssl/private/ssl-cert-snakeoil.key vserver!1!ssl_cipher_server_preference = 1 -vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA +vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA vserver!1!ssl_compression = 0 vserver!1!ssl_dh_length = 2048 diff --git a/src/configuration/Webservers/lighttpd/10-ssl-dh.conf b/src/configuration/Webservers/lighttpd/10-ssl-dh.conf index b1a64d6..3e3d804 100644 --- a/src/configuration/Webservers/lighttpd/10-ssl-dh.conf +++ b/src/configuration/Webservers/lighttpd/10-ssl-dh.conf @@ -6,7 +6,7 @@ $SERVER["socket"] == "0.0.0.0:443" { ssl.use-sslv3 = "disable" ssl.pemfile = "/etc/lighttpd/server.pem" - ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" + ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA" ssl.honor-cipher-order = "enable" # use group16 dh parameters ssl.dh-file = "/etc/lighttpd/ssl/dh4096.pem" diff --git a/src/configuration/Webservers/lighttpd/10-ssl.conf b/src/configuration/Webservers/lighttpd/10-ssl.conf index 4a467fc..72850e6 100644 --- a/src/configuration/Webservers/lighttpd/10-ssl.conf +++ b/src/configuration/Webservers/lighttpd/10-ssl.conf @@ -7,7 +7,7 @@ $SERVER["socket"] == "0.0.0.0:443" { ssl.pemfile = "/etc/lighttpd/server.pem" ssl.ca-file = "/etc/ssl/certs/server.crt" - ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" + ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA" ssl.honor-cipher-order = "enable" setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=15768000") # six months # use this only if all subdomains support HTTPS! diff --git a/src/configuration/Webservers/nginx/default b/src/configuration/Webservers/nginx/default index 088c9c6..c48740d 100644 --- a/src/configuration/Webservers/nginx/default +++ b/src/configuration/Webservers/nginx/default @@ -112,7 +112,7 @@ server { ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive - ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; + ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'; add_header Strict-Transport-Security max-age=15768000; # six months # use this only if all subdomains support HTTPS! # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; diff --git a/src/configuration/Webservers/nginx/default-ec b/src/configuration/Webservers/nginx/default-ec index eb172a2..a9c6d19 100644 --- a/src/configuration/Webservers/nginx/default-ec +++ b/src/configuration/Webservers/nginx/default-ec @@ -112,7 +112,7 @@ server { ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive - ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; + ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'; add_header Strict-Transport-Security max-age=15768000; # six months # use this only if all subdomains support HTTPS! # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; diff --git a/src/configuration/Webservers/nginx/default-hsts b/src/configuration/Webservers/nginx/default-hsts index b6745ac..3ab4b61 100644 --- a/src/configuration/Webservers/nginx/default-hsts +++ b/src/configuration/Webservers/nginx/default-hsts @@ -62,7 +62,7 @@ server { ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive - ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; + ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'; add_header Strict-Transport-Security max-age=15768000; # six months # use this only if all subdomains support HTTPS! # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; diff --git a/src/practical_settings/webserver.tex b/src/practical_settings/webserver.tex index 0c7ac80..a068626 100644 --- a/src/practical_settings/webserver.tex +++ b/src/practical_settings/webserver.tex @@ -164,7 +164,7 @@ The configuration of the cherokee webserver is performed by an admin interface a \item \emph{Required SSL/TLS Values}: Fill in the correct paths for \emph{Certificate} and \emph{Certificate key} \item Advanced Options \begin{itemize*} - \item \emph{Ciphers}: \texttt{EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\newline EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:\newline+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:\newline!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA} + \item \emph{Ciphers}: \ttbox{\cipherStringB} \item \emph{Server Preference}: Prefer \item \emph{Compression}: Disabled \end{itemize*} -- 2.20.1