diff --git a/configs/apache2/https-hsts.conf b/configs/apache2/https-hsts.conf index 29a78a8..5aa65f8 100644 --- a/configs/apache2/https-hsts.conf +++ b/configs/apache2/https-hsts.conf @@ -1,32 +1,37 @@ # -# This is an example of a medium security, highly compatible SSLv3 and TLSv1 -# enabled HTTPS server. The server prefers modes that provide perfect forward -# secrecy but does not require it. Anonymous cipher modes are disabled. This +# This is an example of a high security, somewhat compatible TLSv1 (and TLSv1.1 & TLSv1.2) +# enabled HTTPS server. The server requires modes that provide perfect forward +# secrecy. Anonymous cipher modes are disabled. This # configuation also includes the HSTS header to ensure that users do not # accidentally connect to an insecure HTTP service after their first visit. The # HSTS header is set to expire after six earth months. # -# Supported Server Cipher(s): -# Accepted SSLv3 256 bits DHE-RSA-AES256-SHA -# Accepted SSLv3 256 bits AES256-SHA -# Accepted SSLv3 128 bits DHE-RSA-AES128-SHA -# Accepted SSLv3 128 bits AES128-SHA -# Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA -# Accepted SSLv3 168 bits DES-CBC3-SHA -# Accepted TLSv1 256 bits DHE-RSA-AES256-SHA -# Accepted TLSv1 256 bits AES256-SHA -# Accepted TLSv1 128 bits DHE-RSA-AES128-SHA -# Accepted TLSv1 128 bits AES128-SHA -# Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA -# Accepted TLSv1 168 bits DES-CBC3-SHA +# Supported Server Cipher(s): # -# Prefered Server Cipher(s): -# SSLv3 256 bits DHE-RSA-AES256-SHA -# TLSv1 256 bits DHE-RSA-AES256-SHA +# TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS 256 +# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128 +# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256 +# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128 +# TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) ECDH 256 bits (eq. 3072 bits RSA) FS 128 +# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256 +# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128 +# TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256 +# TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256 +# TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256 +# TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256 +# TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128 +# TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128 +# TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128 +# TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128 +# TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128 +# TLS_RSA_WITH_RC4_128_SHA (0x5) 128 # # This configuration requires mod_headers, mod_ssl, it binds to TCP port 443, it only # logs errors, and disables the server signature. # +# The version of OpenSSL should 1.0.1d or higher. +# + NameVirtualHost 1.2.3.4:443 @@ -39,8 +44,8 @@ NameVirtualHost 1.2.3.4:443 SSLCertificateFile /etc/apache2/ssl/www.example.com.crt SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key - SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 - SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH + SSLProtocol all -SSLv2 -SSLv3 + SSLCipherSuite SSLCipherSuite EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS SSLHonorCipherOrder on SSLCompression off diff --git a/configs/nginx/nginx.conf b/configs/nginx/nginx.conf index f12cbb5..992ecbe 100644 --- a/configs/nginx/nginx.conf +++ b/configs/nginx/nginx.conf @@ -1,29 +1,42 @@ # -# This is an example of a high security, somewhat compatible SSLv3 and TLSv1 +# This is an example of a high security, somewhat compatible TLSv1 (TLSv1.1 & TLSv1.2) # enabled HTTPS proxy server. The server only allows modes that provide perfect # forward secrecy; no other modes are offered. Anonymous cipher modes are -# disabled. This configuation does not include the HSTS header to ensure that +# disabled. +# +# This configuation does include the HSTS header to ensure that # users do not accidentally connect to an insecure HTTP service after their # first visit. This configuration will automatically redirect all traffic on # TCP port 80 to TCP port 443. All traffic requested will be redirected through # a local HTTP proxy. This configuration file is what powers tor2web.com. # -# Supported Server Cipher(s): -# Accepted SSLv3 256 bits DHE-RSA-AES256-SHA -# Accepted SSLv3 128 bits DHE-RSA-AES128-SHA -# Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA -# Accepted TLSv1 256 bits DHE-RSA-AES256-SHA -# Accepted TLSv1 128 bits DHE-RSA-AES128-SHA -# Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA +# Supported Server Cipher(s): +# +# TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS 256 +# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128 +# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256 +# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128 +# TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) ECDH 256 bits (eq. 3072 bits RSA) FS 128 +# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256 +# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128 +# TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256 +# TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256 +# TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256 +# TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256 +# TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128 +# TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128 +# TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128 +# TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128 +# TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128 +# TLS_RSA_WITH_RC4_128_SHA (0x5) 128 # -# Prefered Server Cipher(s): -# SSLv3 256 bits DHE-RSA-AES256-SHA -# TLSv1 256 bits DHE-RSA-AES256-SHA # # This configuration requires a modern nginx server linked against openssl, it # binds to TCP port 443 and TCP port 80, it only logs errors, drops privs from # root to www-data, and disables the server signature. # +# The version of OpenSSL should 1.0.1d or higher. +# user www-data; worker_processes 1; @@ -63,8 +76,8 @@ server { ssl_session_timeout 10m; # Only strong ciphers in PFS mode - ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA; - ssl_protocols SSLv3 TLSv1; + ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # For ssl client certificates, edit ssl_client_certificate # (specifies a file containing permissable CAs) and uncomment the