Updated to PFS only configs for Nginx & Apache2

configs/apache2/https-hsts.conf

@@ -1,32 +1,37 @@
 #
-# This is an example of a medium security, highly compatible SSLv3 and TLSv1
-# enabled HTTPS server. The server prefers modes that provide perfect forward
-# secrecy but does not require it. Anonymous cipher modes are disabled. This
+# This is an example of a high security, somewhat compatible TLSv1 (and TLSv1.1 & TLSv1.2)
+# enabled HTTPS server. The server requires modes that provide perfect forward
+# secrecy. Anonymous cipher modes are disabled. This
 # configuation also includes the HSTS header to ensure that users do not
 # accidentally connect to an insecure HTTP service after their first visit. The
 # HSTS header is set to expire after six earth months.
 #
-#  Supported Server Cipher(s):
-#    Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
-#    Accepted  SSLv3  256 bits  AES256-SHA
-#    Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
-#    Accepted  SSLv3  128 bits  AES128-SHA
-#    Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
-#    Accepted  SSLv3  168 bits  DES-CBC3-SHA
-#    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
-#    Accepted  TLSv1  256 bits  AES256-SHA
-#    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
-#    Accepted  TLSv1  128 bits  AES128-SHA
-#    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
-#    Accepted  TLSv1  168 bits  DES-CBC3-SHA
+# Supported Server Cipher(s):
 #
-#  Prefered Server Cipher(s):
-#    SSLv3  256 bits  DHE-RSA-AES256-SHA
-#    TLSv1  256 bits  DHE-RSA-AES256-SHA
+# TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072 bits RSA)   FS 256
+# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)   FS 128
+# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)   FS 256
+# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)   FS 128
+# TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   ECDH 256 bits (eq. 3072 bits RSA)   FS    128
+# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)   FS    256
+# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)   FS    128
+# TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS  256
+# TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS  256
+# TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS 256
+# TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS    256
+# TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS  128
+# TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS  128
+# TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS 128
+# TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS    128
+# TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS    128
+# TLS_RSA_WITH_RC4_128_SHA (0x5)  128
 #
 # This configuration requires mod_headers, mod_ssl, it binds to TCP port 443, it only
 # logs errors, and disables the server signature.
 #
+# The version of OpenSSL should 1.0.1d or higher.
+# 
+
 
 NameVirtualHost 1.2.3.4:443
 <VirtualHost 1.2.3.4:443>
@@ -39,8 +44,8 @@ NameVirtualHost 1.2.3.4:443
     SSLCertificateFile /etc/apache2/ssl/www.example.com.crt
     SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key
 
-    SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
-    SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
+    SSLProtocol all -SSLv2 -SSLv3
+    SSLCipherSuite SSLCipherSuite EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS
     SSLHonorCipherOrder on
     SSLCompression off
 

configs/nginx/nginx.conf

@@ -1,29 +1,42 @@
 #
-# This is an example of a high security, somewhat compatible SSLv3 and TLSv1
+# This is an example of a high security, somewhat compatible TLSv1 (TLSv1.1 & TLSv1.2)
 # enabled HTTPS proxy server. The server only allows modes that provide perfect
 # forward secrecy; no other modes are offered. Anonymous cipher modes are
-# disabled.  This configuation does not include the HSTS header to ensure that
+# disabled.  
+# 
+# This configuation does include the HSTS header to ensure that
 # users do not accidentally connect to an insecure HTTP service after their
 # first visit. This configuration will automatically redirect all traffic on
 # TCP port 80 to TCP port 443. All traffic requested will be redirected through
 # a local HTTP proxy. This configuration file is what powers tor2web.com.
 #
-#  Supported Server Cipher(s):
-#    Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
-#    Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
-#    Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
-#    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
-#    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
-#    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
+# Supported Server Cipher(s):
+#
+# TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072 bits RSA)   FS 256
+# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)   FS 128
+# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)   FS 256
+# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)   FS 128
+# TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   ECDH 256 bits (eq. 3072 bits RSA)   FS    128
+# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)   FS    256
+# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)   FS    128
+# TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS  256
+# TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS  256
+# TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS 256
+# TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS    256
+# TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS  128
+# TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS  128
+# TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS 128
+# TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS    128
+# TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS    128
+# TLS_RSA_WITH_RC4_128_SHA (0x5)  128
 #
-#  Prefered Server Cipher(s):
-#    SSLv3  256 bits  DHE-RSA-AES256-SHA
-#    TLSv1  256 bits  DHE-RSA-AES256-SHA
 #
 # This configuration requires a modern nginx server linked against openssl, it
 # binds to TCP port 443 and TCP port 80, it only logs errors, drops privs from
 # root to www-data, and disables the server signature.
 #
+# The version of OpenSSL should 1.0.1d or higher.
+#
 
 user www-data;
 worker_processes  1;
@@ -63,8 +76,8 @@ server {
     ssl_session_timeout 10m;
 
     # Only strong ciphers in PFS mode
-    ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
-    ssl_protocols SSLv3 TLSv1;
+    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
     # For ssl client certificates, edit ssl_client_certificate
     # (specifies a file containing permissable CAs) and uncomment the