diff options
| author | Gene Wood <gene_wood@cementhorizon.com> | 2015-04-15 14:19:48 -0700 |
|---|---|---|
| committer | Gene Wood <gene_wood@cementhorizon.com> | 2015-04-15 14:19:48 -0700 |
| commit | 46c02e0599835430bedcaa1a8eeec6ebc67a1867 (patch) | |
| tree | 2eb07c8d2417e879904945d3c5390820c31dfe23 | |
| parent | c46f58c2033340a4492b78342a3f8e944f13c9b4 (diff) | |
| download | server-side-tls-46c02e0599835430bedcaa1a8eeec6ebc67a1867.zip server-side-tls-46c02e0599835430bedcaa1a8eeec6ebc67a1867.tar.gz server-side-tls-46c02e0599835430bedcaa1a8eeec6ebc67a1867.tar.bz2 | |
Fixing mixed whitespace
Fixing permalink when fallbackprofile is used
| -rw-r--r-- | ssl-config-generator/index.html | 189 |
1 files changed, 97 insertions, 92 deletions
diff --git a/ssl-config-generator/index.html b/ssl-config-generator/index.html index d30efd7..6b80cb8 100644 --- a/ssl-config-generator/index.html +++ b/ssl-config-generator/index.html @@ -110,46 +110,46 @@ frontend ft_test </script> <script> - var profiles = { - modern: { - cipherSuite: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK', - sslProtocols: { - apache: 'all -SSLv2 -SSLv3 -TLSv1', - nginx: 'TLSv1.1 TLSv1.2', - haproxy: 'ssl no-sslv3 no-tlsv10' - }, - clientList: 'Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7, Android 4.4, Java 8', - maxDHKeySize: '2048', - messages: [] - }, - intermediate: { - cipherSuite: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA', - sslProtocols: { - apache: 'all -SSLv2 -SSLv3', - nginx: 'TLSv1 TLSv1.1 TLSv1.2', - haproxy: 'ssl no-sslv3' - }, - clientList: 'Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7', - maxDHKeySize: '1024', - messages: [] - }, - old: { - cipherSuite: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA', - sslProtocols: { - apache: 'all -SSLv2', - nginx: 'SSLv3 TLSv1 TLSv1.1 TLSv1.2', - haproxy: 'ssl' - }, - clientList: 'Windows XP IE6, Java 6', - maxDHKeySize: '1024', - messages: [] - } - }; + var profiles = { + modern: { + cipherSuite: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK', + sslProtocols: { + apache: 'all -SSLv2 -SSLv3 -TLSv1', + nginx: 'TLSv1.1 TLSv1.2', + haproxy: 'ssl no-sslv3 no-tlsv10' + }, + clientList: 'Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7, Android 4.4, Java 8', + maxDHKeySize: '2048', + messages: [] + }, + intermediate: { + cipherSuite: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA', + sslProtocols: { + apache: 'all -SSLv2 -SSLv3', + nginx: 'TLSv1 TLSv1.1 TLSv1.2', + haproxy: 'ssl no-sslv3' + }, + clientList: 'Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7', + maxDHKeySize: '1024', + messages: [] + }, + old: { + cipherSuite: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA', + sslProtocols: { + apache: 'all -SSLv2', + nginx: 'SSLv3 TLSv1 TLSv1.1 TLSv1.2', + haproxy: 'ssl' + }, + clientList: 'Windows XP IE6, Java 6', + maxDHKeySize: '1024', + messages: [] + } + }; - var messageTypes = { - oldOpenSSL: 'TLS v1.1 and v1.2 support is only present in OpenSSL 1.0.1 and newer', - oldApache: 'TLS v1.1 and v1.2 support is only present in Apache 2.4 and newer' - }; + var messageTypes = { + oldOpenSSL: 'TLS v1.1 and v1.2 support is only present in OpenSSL 1.0.1 and newer', + oldApache: 'TLS v1.1 and v1.2 support is only present in Apache 2.4 and newer' + }; function getVersionConstrainedDirectives(data) { switch (data.server) { @@ -176,7 +176,7 @@ frontend ft_test data.listen = ' listen 443 ssl;'; } else { data.listen = ' listen 443;' + '\n' + - ' ssl on;'; + ' ssl on;'; } break; case "apache": @@ -191,17 +191,17 @@ frontend ft_test } if (isSemVer(data.serverVersion, '>=2.4.8')) { - data.certFile = ' SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs'; + data.certFile = ' SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs'; } else { - data.certFile = ' SSLCertificateFile /path/to/signed_certificate\n' + - ' SSLCertificateChainFile /path/to/intermediate_certificate'; + data.certFile = ' SSLCertificateFile /path/to/signed_certificate\n' + + ' SSLCertificateChainFile /path/to/intermediate_certificate'; } if (data.hstsEnabled == "true") { data.hsts = '\n # HSTS (mod_headers is required) (15768000 seconds = 6 months)' + '\n' + ' Header always add Strict-Transport-Security "max-age=15768000"'; } if (isSemVer(data.serverVersion, '>=2.3.16')) { - data.sslProtocols = data.sslProtocols.replace(' -SSLv2',''); + data.sslProtocols = data.sslProtocols.replace(' -SSLv2', ''); } break; case "haproxy": @@ -222,14 +222,16 @@ frontend ft_test $(document).ready(function() { function loadFromQueryString() { // http://stackoverflow.com/a/10834119/837015 - var defaults = {"server": "apache-2.2.15", - "openssl": "1.0.1e", - "hsts": "yes", - "profile": "intermediate"}; + var defaults = { + "server": "apache-2.2.15", + "openssl": "1.0.1e", + "hsts": "yes", + "profile": "intermediate" + }; var queries = defaults; var search = document.location.search.trim(); - $.each(search.substr(1).split('&'),function(c,q){ + $.each(search.substr(1).split('&'), function(c, q) { var i = q.split('='); queries[i[0].toString()] = i.length == 2 ? i[1].toString() : "true"; }); @@ -239,40 +241,40 @@ frontend ft_test $("#server-version").val(server[1]); $("#openssl-version").val(queries["openssl"]); $("input#hsts-enabled").attr("checked", queries["hsts"] === "yes"); - $("div#server-list input#"+server[0]).attr("checked", true); - $("div#security-profile-list input#"+queries["profile"]).attr("checked", true); + $("div#server-list input#" + server[0]).attr("checked", true); + $("div#security-profile-list input#" + queries["profile"]).attr("checked", true); } - function toggleProfileAvailability(disableProfileTest, currentProfile, targetProfile, message) { - profileOrder = ["modern", "intermediate", "old"]; - result = currentProfile; + function toggleProfileAvailability(disableProfileTest, currentProfile, targetProfile, message) { + profileOrder = ["modern", "intermediate", "old"]; + result = currentProfile; if (disableProfileTest) { - if ($.inArray(message, profiles[targetProfile]["messages"]) == -1) { - profiles[targetProfile]["messages"].push(message); - } - if ($("#security-profile-list input#" + targetProfile).prop("disabled") == false) { - $("#security-profile-list input#" + targetProfile).prop("disabled", true); - if (currentProfile == targetProfile) { - fallbackProfile = profileOrder[(profileOrder.indexOf(targetProfile) + 1 < profileOrder.length ? - profileOrder.indexOf(targetProfile) + 1 : - 0)]; - $("#security-profile-list input#" + fallbackProfile).prop( "checked", true ); - result = fallbackProfile; - } - } + if ($.inArray(message, profiles[targetProfile]["messages"]) == -1) { + profiles[targetProfile]["messages"].push(message); + } + if ($("#security-profile-list input#" + targetProfile).prop("disabled") == false) { + $("#security-profile-list input#" + targetProfile).prop("disabled", true); + if (currentProfile == targetProfile) { + fallbackProfile = profileOrder[(profileOrder.indexOf(targetProfile) + 1 < profileOrder.length ? + profileOrder.indexOf(targetProfile) + 1 : + 0)]; + $("#security-profile-list input#" + fallbackProfile).prop("checked", true); + result = fallbackProfile; + } + } } else { - if ($.inArray(message, profiles[targetProfile]["messages"]) != -1) { - profiles[targetProfile]["messages"].splice(profiles[targetProfile]["messages"].indexOf(message), 1); - } + if ($.inArray(message, profiles[targetProfile]["messages"]) != -1) { + profiles[targetProfile]["messages"].splice(profiles[targetProfile]["messages"].indexOf(message), 1); + } } if (profiles[targetProfile]["messages"].length == 0) { - $("#security-profile-list input#" + targetProfile).prop("disabled", false); - $("#security-profile-list label[for=" + targetProfile + "]").removeAttr("title"); + $("#security-profile-list input#" + targetProfile).prop("disabled", false); + $("#security-profile-list label[for=" + targetProfile + "]").removeAttr("title"); } else { - $("#security-profile-list label[for=" + targetProfile + "]").attr("title", profiles[targetProfile]["messages"].join(" ")); - } + $("#security-profile-list label[for=" + targetProfile + "]").attr("title", profiles[targetProfile]["messages"].join(" ")); + } return result; - } + } function renderConfig() { var data = { @@ -282,36 +284,39 @@ frontend ft_test server: $("div#server-list input:radio:checked").val(), securityProfile: $("div#security-profile-list input:radio:checked").val() }; - + var source = $("#" + data.server + "-template").html(); var template = Handlebars.compile(source); - data.visibility = "visible"; + data.visibility = "visible"; jQuery.extend(data, { sslProtocols: profiles[data.securityProfile]["sslProtocols"][data.server], cipherSuites: profiles[data.securityProfile]["cipherSuites"], maxDHKeySize: profiles[data.securityProfile]["maxDHKeySize"], - clientList: profiles[data.securityProfile]["clientList"], - queryString: $.param({ - server: $("div#server-list input:radio:checked").val() + "-" + $("#server-version").val(), - openssl: $("#openssl-version").val(), - hsts: $("input#hsts-enabled:checkbox:checked").val() ? "yes" : "no", - profile: $("div#security-profile-list input:radio:checked").val() - }) + clientList: profiles[data.securityProfile]["clientList"] }); jQuery.extend(data, getVersionConstrainedDirectives(data)); - data.securityProfile = toggleProfileAvailability( - isOpenSSLSemVer(data.opensslVersion, "<1.0.1"), - data.securityProfile, - "modern", + data.securityProfile = toggleProfileAvailability( + isOpenSSLSemVer(data.opensslVersion, "<1.0.1"), + data.securityProfile, + "modern", messageTypes.oldOpenSSL); - data.securityProfile = toggleProfileAvailability( - data.server == "apache" && isSemVer(data.serverVersion, "<2.4.0"), - data.securityProfile, - "modern", + data.securityProfile = toggleProfileAvailability( + data.server == "apache" && isSemVer(data.serverVersion, "<2.4.0"), + data.securityProfile, + "modern", messageTypes.oldApache); + + jQuery.extend(data, { + queryString: $.param({ + server: data.server + "-" + data.serverVersion, + openssl: data.opensslVersion, + hsts: data.hstsEnabled ? "yes" : "no", + profile: data.securityProfile + }) + }); $("#server-config-text").html(template(data)); } $("ul#security-profile-list li button").click(function() { |