update conf generator with new recommendations

author: Julien Vehent <julien@linuxwall.info> 2016-02-23 08:12:06 -0500
committer: Julien Vehent <julien@linuxwall.info> 2016-02-23 08:12:06 -0500
commit: d255367a7de1f7324cdd2a3417c97bf1db4bd7ce (patch)
tree: b663c5aae68bcd02696b737272f23c17dcd3c598
parent: 76fd4d931aee018c2a6d0c871d6e0bb08d1f0651 (diff)
download: server-side-tls-d255367a7de1f7324cdd2a3417c97bf1db4bd7ce.zip
server-side-tls-d255367a7de1f7324cdd2a3417c97bf1db4bd7ce.tar.gz
server-side-tls-d255367a7de1f7324cdd2a3417c97bf1db4bd7ce.tar.bz2
1 files changed, 33 insertions, 43 deletions
diff --git a/ssl-config-generator/index.html b/ssl-config-generator/index.html
index 91d272a..ff61f75 100644
--- a/ssl-config-generator/index.html
+++ b/ssl-config-generator/index.html
@@ -65,7 +65,7 @@ server {
 {{ocspstapling}}
 
     resolver &lt;IP DNS resolver&gt;;
- 
+
     ....
 }
 </pre>
@@ -119,8 +119,8 @@ frontend ft_test
 <h2>{{server}} {{serverVersion}} | {{securityProfile}} profile | OpenSSL {{opensslVersion}} | <a href="?{{queryString}}">link</a></h2>
 <p>Oldest compatible clients : {{clientList}}</p>
 <span class="message">{{message}}</span>
-<p>This <a href="https://aws.amazon.com/cloudformation/">Amazon Web Services CloudFormation</a> template 
-  will create an <a href="https://aws.amazon.com/elasticloadbalancing/">Elastic Load Balancer</a> which 
+<p>This <a href="https://aws.amazon.com/cloudformation/">Amazon Web Services CloudFormation</a> template
+  will create an <a href="https://aws.amazon.com/elasticloadbalancing/">Elastic Load Balancer</a> which
   terminates HTTPS connections using the Mozilla recommended ciphersuites and protocols.
 </p>
 <pre style="visibility: {{visibility}};">
@@ -141,7 +141,7 @@ $SERVER["socket"] == ":443" {
     ssl.pemfile               = "/path/to/signed_cert_plus_private_key.pem"
     ssl.ca-file               = "/path/to/intermediate_certificate.pem"
     # for DH/DHE ciphers, dhparam should be >= 2048-bit
-    ssl.dh-file               = "/path/to/dhparam.pem" 
+    ssl.dh-file               = "/path/to/dhparam.pem"
     # ECDH/ECDHE ciphers curve strength (see `openssl ecparam -list_curves`)
     ssl.ec-curve              = "secp384r1"
     # Compression is by default off at compile-time, but use if needed
@@ -166,76 +166,66 @@ $SERVER["socket"] == ":443" {
     <script>
         var profiles = {
             modern: {
-                cipherSuites: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK',
+                cipherSuites: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
                 elbPolicy: [
-                    "Protocol-TLSv1.1",
                     "Protocol-TLSv1.2",
                     "Server-Defined-Cipher-Order",
                     "ECDHE-ECDSA-AES128-GCM-SHA256",
                     "ECDHE-RSA-AES128-GCM-SHA256",
                     "ECDHE-ECDSA-AES128-SHA256",
                     "ECDHE-RSA-AES128-SHA256",
-                    "ECDHE-ECDSA-AES128-SHA",
-                    "ECDHE-RSA-AES128-SHA",
-                    "DHE-RSA-AES128-SHA",
                     "ECDHE-ECDSA-AES256-GCM-SHA384",
                     "ECDHE-RSA-AES256-GCM-SHA384",
                     "ECDHE-ECDSA-AES256-SHA384",
                     "ECDHE-RSA-AES256-SHA384",
-                    "ECDHE-RSA-AES256-SHA",
-                    "ECDHE-ECDSA-AES256-SHA",
-                    "DHE-RSA-AES256-SHA256",
-                    "DHE-RSA-AES256-SHA",
-                    "DHE-DSS-AES256-SHA",
-                    "DHE-DSS-AES128-GCM-SHA256",
-                    "DHE-RSA-AES128-GCM-SHA256",
-                    "DHE-RSA-AES128-SHA256",
-                    "DHE-DSS-AES128-SHA256"
                 ],
                 sslProtocols: {
-                    apache: 'all -SSLv2 -SSLv3 -TLSv1',
-                    nginx: 'TLSv1.1 TLSv1.2',
-                    haproxy: 'ssl no-sslv3 no-tlsv10',
+                    apache: 'all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1',
+                    nginx: 'TLSv1.2',
+                    haproxy: 'ssl no-sslv3 no-tlsv10 no-tlsv11',
                     lighttpd: '    ssl.use-sslv2 = "disable"\n    ssl.use-sslv3 = "disable"'
                 },
-                clientList: 'Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7, Android 4.4, Java 8',
+                clientList: 'Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8',
                 maxDHKeySize: '2048',
                 messages: []
             },
             intermediate: {
-                cipherSuites: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
+                cipherSuites: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS',
                 elbPolicy: [
                     "Protocol-TLSv1",
                     "Protocol-TLSv1.1",
                     "Protocol-TLSv1.2",
                     "Server-Defined-Cipher-Order",
+                    "ECDHE-ECDSA-CHACHA20-POLY1305",
+                    "ECDHE-RSA-CHACHA20-POLY1305",
                     "ECDHE-ECDSA-AES128-GCM-SHA256",
                     "ECDHE-RSA-AES128-GCM-SHA256",
+                    "ECDHE-ECDSA-AES256-GCM-SHA384",
+                    "ECDHE-RSA-AES256-GCM-SHA384",
+                    "DHE-RSA-AES128-GCM-SHA256",
+                    "DHE-RSA-AES256-GCM-SHA384",
                     "ECDHE-ECDSA-AES128-SHA256",
                     "ECDHE-RSA-AES128-SHA256",
                     "ECDHE-ECDSA-AES128-SHA",
+                    "ECDHE-RSA-AES256-SHA384",
                     "ECDHE-RSA-AES128-SHA",
-                    "DHE-RSA-AES128-SHA",
-                    "ECDHE-ECDSA-AES256-GCM-SHA384",
-                    "ECDHE-RSA-AES256-GCM-SHA384",
                     "ECDHE-ECDSA-AES256-SHA384",
-                    "ECDHE-RSA-AES256-SHA384",
-                    "ECDHE-RSA-AES256-SHA",
                     "ECDHE-ECDSA-AES256-SHA",
+                    "ECDHE-RSA-AES256-SHA",
+                    "DHE-RSA-AES128-SHA256",
+                    "DHE-RSA-AES128-SHA",
+                    "DHE-RSA-AES256-SHA256",
+                    "DHE-RSA-AES256-SHA",
+                    "ECDHE-ECDSA-DES-CBC3-SHA",
+                    "ECDHE-RSA-DES-CBC3-SHA",
+                    "EDH-RSA-DES-CBC3-SHA",
                     "AES128-GCM-SHA256",
-                    "AES128-SHA256",
-                    "AES128-SHA",
                     "AES256-GCM-SHA384",
+                    "AES128-SHA256",
                     "AES256-SHA256",
+                    "AES128-SHA",
                     "AES256-SHA",
                     "DES-CBC3-SHA",
-                    "DHE-RSA-AES256-SHA256",
-                    "DHE-RSA-AES256-SHA",
-                    "DHE-DSS-AES256-SHA",
-                    "DHE-DSS-AES128-GCM-SHA256",
-                    "DHE-RSA-AES128-GCM-SHA256",
-                    "DHE-RSA-AES128-SHA256",
-                    "DHE-DSS-AES128-SHA256"
                 ],
                 sslProtocols: {
                     apache: 'all -SSLv2 -SSLv3',
@@ -248,7 +238,7 @@ $SERVER["socket"] == ":443" {
                 messages: []
             },
             old: {
-                cipherSuites: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
+                cipherSuites: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP',
                 elbPolicy: [
                     "Protocol-SSLv3",
                     "Protocol-TLSv1",
@@ -308,7 +298,7 @@ $SERVER["socket"] == ":443" {
             oldOpenSSL: 'TLS v1.1 and v1.2 support is only present in OpenSSL 1.0.1 and newer',
             oldApache: 'TLS v1.1 and v1.2 support is only present in Apache 2.4 and newer'
         };
-        
+
         $(function() {
             $( document ).tooltip();
         });
@@ -464,7 +454,7 @@ $SERVER["socket"] == ":443" {
                 var software = $("div#server-list input:radio:checked").val();
                 if (change_software === true && typeof versions[software] !== "undefined") {
                     $("#server-version").val(versions[software][versions[software].length-1]);
-                    
+
                 };
 
                 var data = {
@@ -530,7 +520,7 @@ $SERVER["socket"] == ":443" {
                     data.securityProfile,
                     "modern",
                     messageTypes.oldApache);
-                
+
                 $( "#server-version" ).autocomplete({
                     source: versions[data.server]
                 });
@@ -544,7 +534,7 @@ $SERVER["socket"] == ":443" {
                         profile: data.securityProfile
                     })
                 });
-                
+
                 $("#server-config-text").html(template(data));
             }
             $("ul#security-profile-list li button").click(function() {
@@ -624,7 +614,7 @@ $SERVER["socket"] == ":443" {
         See also:
             <ul>
                 <li><a href="https://wiki.mozilla.org/Security/Server_Side_TLS">Mozilla's Server Side TLS Guidelines</a> for more details on these configurations.</li>
-                <li><a href="https://github.com/jvehent/cipherscan">Cipherscan</a> and <a href="https://www.ssllabs.com/ssltest/">SSLLabs</a> to test the configuration of live servers</li>
+                <li><a href="https://github.com/mozilla/tls-observatory">TLS Observatory</a>, <a href="https://github.com/jvehent/cipherscan">Cipherscan</a> and <a href="https://www.ssllabs.com/ssltest/">SSLLabs</a> to test the configuration of live servers</li>
                 <li>Report issues and propose improvements to this generator <a href="https://github.com/mozilla/server-side-tls">on GitHub</a></li>
             </ul>
         </p>
author	Julien Vehent <julien@linuxwall.info>	2016-02-23 08:12:06 -0500
committer	Julien Vehent <julien@linuxwall.info>	2016-02-23 08:12:06 -0500
commit	d255367a7de1f7324cdd2a3417c97bf1db4bd7ce (patch)
tree	b663c5aae68bcd02696b737272f23c17dcd3c598
parent	76fd4d931aee018c2a6d0c871d6e0bb08d1f0651 (diff)
download	server-side-tls-d255367a7de1f7324cdd2a3417c97bf1db4bd7ce.zip server-side-tls-d255367a7de1f7324cdd2a3417c97bf1db4bd7ce.tar.gz server-side-tls-d255367a7de1f7324cdd2a3417c97bf1db4bd7ce.tar.bz2