summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #165 from mozilla/jvehent-patch-1HEADorigin/gh-pagesorigin/HEADgh-pagesJulien Vehent [:ulfr]2016-10-311-21/+54
|\ | | | | v4.1: Clarify Logjam notes, Clarify risk of TLS Tickets
| * Address review commentsorigin/jvehent-patch-1Julien Vehent2016-10-311-5/+5
| |
| * Recommend RFC7919 pre-defined groups, clarify TLS ticketsJulien Vehent [:ulfr]2016-10-051-15/+47
| |
| * v4.1: Clarify Logjam notes, Clarify risk of TLS TicketsJulien Vehent [:ulfr]2016-09-301-10/+11
| | | | | | r? @ekr @marumari
* | Merge pull request #169 from MichaelPaoli/patch-1Julien Vehent [:ulfr]2016-10-311-1/+1
|\ \ | |/ |/| Update Server_Side_TLS.mediawiki
| * Update Server_Side_TLS.mediawikiMichaelPaoli2016-10-291-1/+1
|/ | | followed but --> followed by - hopefully corrected what appeared to be an English misuse or typo
* Merge pull request #154 from marumari/gh-pagesJulien Vehent [:ulfr]2016-08-301-2/+1
|\ | | | | Make the intro section look a lot neater
| * make the intro section look a lot neater by removing mozilla logo and ↵April King2016-08-041-2/+1
|/ | | | shrinking generator image
* Merge pull request #152 from bndw/gh-pagesJulien Vehent [:ulfr]2016-08-021-1/+1
|\ | | | | fixes typo
| * fixes typobndw2016-08-011-1/+1
|/
* Merge pull request #133 from osirisinferi/ca-certificateJulien Vehent [:ulfr]2016-07-281-1/+3
|\ | | | | Comment SSLCACertificateFile
| * Comment SSLCACertificateFileosirisinferi2016-03-191-1/+3
| |
* | Merge pull request #137 from jrchamp/patch-2Julien Vehent [:ulfr]2016-07-281-1/+1
|\ \ | | | | | | Update oldApache TLS support message
| * | Update oldApache TLS support messagejrchamp2016-04-051-1/+1
| |/ | | | | Apache 2.2.23 and newer support TLS 1.1 and 1.2
* | Merge pull request #141 from rremer/haproxy-preferred-syntaxJulien Vehent [:ulfr]2016-07-281-1/+1
|\ \ | | | | | | use preferred haproxy header manipulation method
| * | use preferred haproxy header manipulation methodRoyce2016-04-201-1/+1
| |/
* | Merge pull request #151 from nbibler/nginx-versions-updateJulien Vehent [:ulfr]2016-07-281-1/+1
|\ \ | | | | | | Add nginx versions 1.9.6 to 1.10.1
| * | Add nginx versions 1.9.6 to 1.10.1Nathaniel Bibler2016-07-281-1/+1
|/ /
* | Merge pull request #145 from edmorley/rm-client-side-https-redirectJulien Vehent [:ulfr]2016-06-081-4/+0
|\ \ | |/ |/| Remove client-side redirect now GitHub pages support enforcing HTTPS
| * Remove client-side redirect now GitHub pages support enforcing HTTPSEd Morley2016-06-081-4/+0
|/ | | | | | GitHub pages now support enforcing HTTPS (which has been enabled in #144), so the client-side redirect can now be removed. See: https://help.github.com/articles/securing-your-github-pages-site-with-https/
* Merge pull request #129 from Yajo/gh-pagesJulien Vehent [:ulfr]2016-03-041-5/+5
|\ | | | | Remove ssl option from where it cannot be.
| * Remove ssl option from where it cannot be.Jairo Llopis2016-03-041-5/+5
|/ | | | Fix #128.
* Merge pull request #126 from Yajo/patch-1Julien Vehent [:ulfr]2016-03-031-2/+6
|\ | | | | Better defaults for HAProxy
| * Better defaults for HAProxyYajo2016-03-021-2/+6
|/ | | Redirects with 301 HTTP to HTTPS and adds cipher and options by default to all SSL binds and servers.
* indentation cleanup, fixes #113Julien Vehent2016-02-231-6/+6
|
* Merge branch 'gh-pages' of github.com:mozilla/server-side-tls into gh-pagesJulien Vehent2016-02-231-3/+18
|\
| * Merge pull request #108 from corburn/nginxJulien Vehent [:ulfr]2016-02-141-2/+17
| |\ | | | | | | Add nginx HTTPS redirect with HSTS, HTTP/2, and IPv6
| | * Add nginx HTTPS redirect with HSTS, HTTP/2, and IPv6Jason Travis2016-01-201-2/+17
| | | | | | | | | | | | | | | | | | - Enable HTTP/2 with nginx >=1.9.5 - Always listen on both IPv4 and IPv6 - Include a HTTP to HTTPS redirect when using HSTS
| * | Merge pull request #116 from Sp1l/Apache-2.4.18Julien Vehent [:ulfr]2016-02-141-1/+1
| |\ \ | | | | | | | | Add most recent Apache 2.4 versons
| | * | Add most recent Apache 2.4 versonsBernard Spil2016-02-111-1/+1
| | | | | | | | | | | | Fix for #114
* | | | update conf generator with new recommendationsJulien Vehent2016-02-231-43/+33
| | | |
* | | | Provide latest json configurationJulien Vehent2016-02-232-1/+150
|/ / /
* | | Publish link to JSON version of guidelinesJulien Vehent2016-02-132-0/+13
| | |
* | | Version json conf in its own folderJulien Vehent2016-02-121-0/+0
| | |
* | | Update oldest clients in JSON configurationJulien Vehent [:ulfr]2016-02-111-1/+1
| | |
* | | Update oldest clients in modern configurationJulien Vehent [:ulfr]2016-02-111-2/+2
| | |
* | | Update Server_Side_TLS.mediawikiJulien Vehent [:ulfr]2016-02-111-3/+2
| | |
* | | Add image to configuration generator at top of pageJulien Vehent [:ulfr]2016-02-111-2/+2
| | |
* | | Update ciphersuites table using @marumari's scriptJulien Vehent2016-02-111-946/+946
| | |
* | | Merge pull request #97 from mozilla/4.0Julien Vehent [:ulfr]2016-02-113-1715/+1280
|\ \ \ | |/ / | | / | |/ |/| V4: updated levels, added JSON
| * Fix typos in wiki pageorigin/4.0Julien Vehent [:ulfr]2016-02-111-2/+2
| |
| * V4: updated ciphersuites, publish guidelines as JSONJulien Vehent2016-02-113-1715/+1280
|/ | | | | | | | | | | | | | | | | | | | | | | | | This commit is the result of several months of discussions and maturation. It represents the state of the art in TLS configurations. It has been rebased, but the history is shown below and can be read at: https://github.com/mozilla/server-side-tls/pull/97 - V4: updated levels, added JSON - Remove DHE from modern, add ChaCha20 - prefer aes256 in modern, add ecdh size parameter - Remove TLSv1.1 from modern level - Prefer AES256-GCM to ChaCha20 in modern configuration - Recommend ECDSAWithSHA384 as cert signature in modern conf - Remove unused document signature - Change recommended curve in Modern to P256 - Convert certificate types, curves and signatures to lists to support multiple acceptable values - readd EDH-RSA-DES-CBC3-SHA to intermediate and old - Add DHE-RSA-AES256-GCM-SHA384 to intermediate level - rename json keys - Revisit old ciphersuites - Update wiki document with latest recommendations and rationales - Add paragraph on certificates switching - Remove configuration samples & cleanup some stuff - reset changes to conf generator
* Bump version 3.9Julien Vehent [:ulfr]2016-01-051-0/+4
|
* Add EDH-RSA-DES-CBC3-SHA to old and intermediate confsJulien Vehent [:ulfr]2016-01-051-44/+92
|
* Merge pull request #105 from dittos/gh-pagesJulien Vehent2015-11-211-0/+3
|\ | | | | Trigger re-render on checkbox toggle
| * Trigger re-render on checkbox toggleTaeho Kim2015-11-211-0/+3
|/
* Merge pull request #102 from jrchamp/patch-1Julien Vehent2015-11-191-7/+8
|\ | | | | Move Apache server config outside VirtualHost
| * Move Apache server config outside VirtualHostjrchamp2015-11-191-7/+8
|/ | | Rather than set the SSL default configuration inside of each virtual host, set it at the server level. Only virtual host specific customizations/overrides should be inside of the VirtualHost.
* Merge pull request #98 from zn/patchJulien Vehent2015-11-191-4/+10
|\ | | | | Updated checking version of Apache and hide unsupported directive
| * Updated version check Apache SSL configuration directiveGaeulbyul2015-11-031-4/+10
| | | | | | | | | | | | | | | | | | - SSLCompression is available in httpd version 2.2.24 or later. (with OpenSSL 0.9.8) - SSLSessionTickets is available in httpd version 2.4.11 or later. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
* | Merge pull request #103 from vthriller/masterJulien Vehent2015-11-191-1/+4
|\ \ | | | | | | nginx: ssl_session_tickets appeared first in 1.5.9
| * | nginx: ssl_session_tickets appeared first in 1.5.9vthriller2015-11-181-1/+4
| | | | | | | | | | | | | | | | | | See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets Also, replicate OpenSSL version constrain from 'case "apache"'.
* | | Merge pull request #95 from synapt/gh-pagesJulien Vehent2015-11-191-13/+75
|\ \ \ | |/ / |/| | Lighttpd support + tweaks
| * | Update index.htmlnate2015-11-021-1/+1
| | | | | | | | | Fixed intermediary level lighttpd settings (SSLv3 should be disabled)
| * | Update index.htmlnate2015-09-241-4/+1
| | | | | | | | | Quick fixes.
| * | Update index.htmlnate2015-09-241-14/+79
| | | | | | | | | Added some lighttpd support, updated version numbers, implemented a tweak to snag the latest version from the array when switching between software configs
* | | Typo in RC4 weaknesses, fixes #83Julien Vehent2015-11-181-1/+1
| |/ |/|
* | Merge pull request #84 from malcolmr/patch-1Julien Vehent2015-11-021-2/+0
|\ \ | | | | | | Remove a dead in-page link for Nginx
| * | Remove a dead in-page link for NginxMalcolm Rowe2015-08-161-2/+0
| | | | | | | | | | | | The additional information for Nginx was removed in https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&diff=990137&oldid=983316.
* | | Merge pull request #81 from Gillingham/patch-1Julien Vehent2015-11-021-1/+1
|\ \ \ | | | | | | | | Apache 2.2.23 and up also support TLS 1.1 and 1.2
| * | | TLS 1.1 and 1.2 support was actually added in 2.2.23Eric Gillingham2015-07-301-1/+1
| | | |
| * | | Apache 2.2.24 and up also support TLS 1.1 and 1.2Eric Gillingham2015-07-301-1/+1
| | | | | | | | | | | | Closes #62
* | | | Merge pull request #80 from meineerde/patch-2Julien Vehent2015-11-021-0/+6
|\ \ \ \ | | | | | | | | | | Disable TLS tickets by default
| * | | | Disable TLS tickets by defaultHolger Just2015-09-081-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By default, all servers enable TLS tickets. However, the keys are only renewed on server restart, leasing to the unfortunate situation that the secret key for the tickets doesn't change for a long time which effectively destroys the perfect-forward-secrecy guarantee. While all servers allow to specify a file which contains the key on disk, it is generally recommended to not use this as this allows the key to leak under effectively the same situations the private key could leak, which again defeats the purpose of PFS. The use of server-stored sessions (identified by session ids) is not affected by this and is always safe. Because of this, The Document™ specifies at https://wiki.mozilla.org/Security/Server_Side_TLS#TLS_tickets_.28RFC_5077.29 that support for TLS tickets should be disabled if possible. This patch adds the relevant config options. Note that Apache only supports this setting since 2.2.30 when used with OpenSSL >= 0.9.8f - http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslsessiontickets Some versions of HAProxy (i.e >= 1.6-dev2 allow to set the key via the stats socket. This however requires custom scripts and good maintenance on the side of the operator. A safe default in any case is to disable session tickets.
* | | | | Update index.htmlJulien Vehent2015-10-181-1/+2
| | | | |
* | | | | Improved "see also" sectionJulien Vehent2015-10-181-1/+7
| |_|_|/ |/| | |
* | | | Merge pull request #94 from marumari/gh-pagesJulien Vehent2015-09-231-3/+3
|\ \ \ \ | |/ / / |/| | | 15724800 -> 15768000, to bring in line with generator
| * | | 15724800 -> 15768000, to bring inline with generator (182 versus 182.5 days)April King2015-09-231-3/+3
|/ / /
* | | Merge pull request #91 from marumari/gh-pagesApril King2015-08-281-2/+3
|\ \ \ | | | | | | | | Minor fix to 3.8 to improve TOC readability on small screens
| * | | Minor fix to 3.8 to improve TOC readability on small screensApril King2015-08-281-2/+3
| | | |
* | | | Merge pull request #90 from marumari/gh-pagesJulien Vehent2015-08-281-1394/+1749
|\ \ \ \ | |/ / / | | | | Redo the cipher names table
| * | | Fix minor error in version chartApril King2015-08-281-1/+0
| | | |
| * | | Redo the cipher names tableApril King2015-08-281-1394/+1750
|/ / /
* | | Merge pull request #89 from mozilla/ecdhe-3des-intermediateApril King2015-08-282-2/+2
|\ \ \ | | | | | | | | Add ECDHE-3DES ciphers to intermediate level
| * | | Add ECDHE-3DES ciphers to intermediate level in generatororigin/ecdhe-3des-intermediateJulien Vehent2015-08-281-1/+1
| | | |
| * | | Add ECDHE-3DES ciphers to intermediate levelJulien Vehent2015-08-281-1/+1
|/ / /
* | | Merge pull request #88 from marumari/gh-pagesJulien Vehent2015-08-281-127/+125
|\ \ \ | |_|/ |/| | Editing changes all around
| * | Fix an absolute ton of screwed up wikilinksApril King2015-08-271-13/+13
| | |
| * | remove the 3.8 section for nowApril King2015-08-271-4/+0
| | |
| * | Moved the version table to the bottom, fixed duplicate __TOC__, cleanup in ↵April King2015-08-271-126/+128
|/ / | | | | | | sections to minimize TOC size
* | Adding google analyticsGene Wood2015-08-121-0/+9
| |
* | Update nginx version listGene Wood2015-08-111-1/+1
| | | | | | | | Fixes #60
* | Enabling Google Webmaster ToolsGene Wood2015-08-111-0/+1
|/
* Merge pull request #76 from drwetter/gh-pagesJulien Vehent2015-07-161-6/+6
|\ | | | | Typos (links)
| * Merge pull request #1 from drwetter/drwetter-patch-1Dirk Wetter2015-06-221-5/+5
| |\ | | | | | | External links
| | * External linksDirk Wetter2015-06-221-5/+5
| |/ | | | | Typos / Syntax was for internal links (MediaWiki)
| * Typos (links)Dirk Wetter2015-06-221-1/+1
| |
* | Merge pull request #78 from marumari/gh-pagesJulien Vehent2015-07-161-2/+2
|\ \ | | | | | | Fixing typos
| * | fixin' typosApril King2015-06-231-2/+2
| |/
* | Merge pull request #79 from meineerde/patch-1Julien Vehent2015-07-161-1/+1
|\ \ | |/ |/| Bump maxDHKeySize to 2048 for intermediate profile
| * Bump maxDHKeySize to 2048 for intermediate profileHolger Just2015-07-091-1/+1
|/ | | In version 3.6 of the Server Side TLS document, the DH size in the intermediate was bumped to 2048 bits. With ECDHE available in the cipher list, even Java 7 should be able to connect. See https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_and_Java for more information.
* publish v3.7Julien Vehent2015-06-191-2/+6
|
* Merge pull request #73 from marumari/gh-pagesJulien Vehent2015-06-191-23/+88
|\ | | | | Change version history to proper table
| * Change version history to proper tableApril King2015-06-101-23/+88
| |
* | Merge pull request #70 from rgacogne/gh-pagesJulien Vehent2015-06-191-1/+26
|\ \ | | | | | | add notes about pre-defined DH groups, DHE support in clients
| * | add a note about pre-defined DH groups, and another about DHE/ECHDE support ↵Remi Gacogne2015-06-161-1/+26
| |/ | | | | | | in clients (taking into account Julien Vehent's comments)
* | Merge pull request #75 from warburtron/patch-2Julien Vehent2015-06-191-0/+119
|\ \ | |/ |/| Update Server_Side_TLS.mediawiki
| * Update Server_Side_TLS.mediawikiDavid Warburton2015-06-181-0/+119
|/ | | New branch (I think) with all the requested changes.
* Merge pull request #69 from mozilla/gdestuynder-patch-1Julien Vehent2015-06-011-3/+3
|\ | | | | Change Golang ordering
| * Change Golang orderingorigin/gdestuynder-patch-1Guillaume Destuynder2015-06-011-3/+3
|/ | | ECDSA on top, and AES128 before AES256 as per https://wiki.mozilla.org/Security/Server_Side_TLS#Prioritization_logic (4)
generated by cgit v1.1 at 2025-05-10 13:41:35 +0000