summaryrefslogtreecommitdiffstats
path: root/ssl-config-generator
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #133 from osirisinferi/ca-certificateJulien Vehent [:ulfr]2016-07-281-1/+3
|\ | | | | Comment SSLCACertificateFile
| * Comment SSLCACertificateFileosirisinferi2016-03-191-1/+3
| |
* | Merge pull request #137 from jrchamp/patch-2Julien Vehent [:ulfr]2016-07-281-1/+1
|\ \ | | | | | | Update oldApache TLS support message
| * | Update oldApache TLS support messagejrchamp2016-04-051-1/+1
| |/ | | | | Apache 2.2.23 and newer support TLS 1.1 and 1.2
* | Merge pull request #141 from rremer/haproxy-preferred-syntaxJulien Vehent [:ulfr]2016-07-281-1/+1
|\ \ | | | | | | use preferred haproxy header manipulation method
| * | use preferred haproxy header manipulation methodRoyce2016-04-201-1/+1
| |/
* | Add nginx versions 1.9.6 to 1.10.1Nathaniel Bibler2016-07-281-1/+1
| |
* | Remove client-side redirect now GitHub pages support enforcing HTTPSEd Morley2016-06-081-4/+0
|/ | | | | | GitHub pages now support enforcing HTTPS (which has been enabled in #144), so the client-side redirect can now be removed. See: https://help.github.com/articles/securing-your-github-pages-site-with-https/
* Remove ssl option from where it cannot be.Jairo Llopis2016-03-041-5/+5
| | | | Fix #128.
* Better defaults for HAProxyYajo2016-03-021-2/+6
| | | Redirects with 301 HTTP to HTTPS and adds cipher and options by default to all SSL binds and servers.
* indentation cleanup, fixes #113Julien Vehent2016-02-231-6/+6
|
* Merge branch 'gh-pages' of github.com:mozilla/server-side-tls into gh-pagesJulien Vehent2016-02-231-3/+18
|\
| * Merge pull request #108 from corburn/nginxJulien Vehent [:ulfr]2016-02-141-2/+17
| |\ | | | | | | Add nginx HTTPS redirect with HSTS, HTTP/2, and IPv6
| | * Add nginx HTTPS redirect with HSTS, HTTP/2, and IPv6Jason Travis2016-01-201-2/+17
| | | | | | | | | | | | | | | | | | - Enable HTTP/2 with nginx >=1.9.5 - Always listen on both IPv4 and IPv6 - Include a HTTP to HTTPS redirect when using HSTS
| * | Add most recent Apache 2.4 versonsBernard Spil2016-02-111-1/+1
| | | | | | | | | Fix for #114
* | | update conf generator with new recommendationsJulien Vehent2016-02-231-43/+33
|/ /
* | V4: updated ciphersuites, publish guidelines as JSONJulien Vehent2016-02-111-6/+6
|/ | | | | | | | | | | | | | | | | | | | | | | | | This commit is the result of several months of discussions and maturation. It represents the state of the art in TLS configurations. It has been rebased, but the history is shown below and can be read at: https://github.com/mozilla/server-side-tls/pull/97 - V4: updated levels, added JSON - Remove DHE from modern, add ChaCha20 - prefer aes256 in modern, add ecdh size parameter - Remove TLSv1.1 from modern level - Prefer AES256-GCM to ChaCha20 in modern configuration - Recommend ECDSAWithSHA384 as cert signature in modern conf - Remove unused document signature - Change recommended curve in Modern to P256 - Convert certificate types, curves and signatures to lists to support multiple acceptable values - readd EDH-RSA-DES-CBC3-SHA to intermediate and old - Add DHE-RSA-AES256-GCM-SHA384 to intermediate level - rename json keys - Revisit old ciphersuites - Update wiki document with latest recommendations and rationales - Add paragraph on certificates switching - Remove configuration samples & cleanup some stuff - reset changes to conf generator
* Trigger re-render on checkbox toggleTaeho Kim2015-11-211-0/+3
|
* Move Apache server config outside VirtualHostjrchamp2015-11-191-7/+8
| | | Rather than set the SSL default configuration inside of each virtual host, set it at the server level. Only virtual host specific customizations/overrides should be inside of the VirtualHost.
* Merge pull request #98 from zn/patchJulien Vehent2015-11-191-4/+10
|\ | | | | Updated checking version of Apache and hide unsupported directive
| * Updated version check Apache SSL configuration directiveGaeulbyul2015-11-031-4/+10
| | | | | | | | | | | | | | | | | | - SSLCompression is available in httpd version 2.2.24 or later. (with OpenSSL 0.9.8) - SSLSessionTickets is available in httpd version 2.4.11 or later. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
* | Merge pull request #103 from vthriller/masterJulien Vehent2015-11-191-1/+4
|\ \ | | | | | | nginx: ssl_session_tickets appeared first in 1.5.9
| * | nginx: ssl_session_tickets appeared first in 1.5.9vthriller2015-11-181-1/+4
| |/ | | | | | | | | | | See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets Also, replicate OpenSSL version constrain from 'case "apache"'.
* | Merge pull request #95 from synapt/gh-pagesJulien Vehent2015-11-191-13/+75
|\ \ | |/ |/| Lighttpd support + tweaks
| * Update index.htmlnate2015-11-021-1/+1
| | | | | | Fixed intermediary level lighttpd settings (SSLv3 should be disabled)
| * Update index.htmlnate2015-09-241-4/+1
| | | | | | Quick fixes.
| * Update index.htmlnate2015-09-241-14/+79
| | | | | | Added some lighttpd support, updated version numbers, implemented a tweak to snag the latest version from the array when switching between software configs
* | Merge pull request #81 from Gillingham/patch-1Julien Vehent2015-11-021-1/+1
|\ \ | | | | | | Apache 2.2.23 and up also support TLS 1.1 and 1.2
| * | TLS 1.1 and 1.2 support was actually added in 2.2.23Eric Gillingham2015-07-301-1/+1
| | |
| * | Apache 2.2.24 and up also support TLS 1.1 and 1.2Eric Gillingham2015-07-301-1/+1
| | | | | | | | | Closes #62
* | | Merge pull request #80 from meineerde/patch-2Julien Vehent2015-11-021-0/+6
|\ \ \ | | | | | | | | Disable TLS tickets by default
| * | | Disable TLS tickets by defaultHolger Just2015-09-081-0/+6
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By default, all servers enable TLS tickets. However, the keys are only renewed on server restart, leasing to the unfortunate situation that the secret key for the tickets doesn't change for a long time which effectively destroys the perfect-forward-secrecy guarantee. While all servers allow to specify a file which contains the key on disk, it is generally recommended to not use this as this allows the key to leak under effectively the same situations the private key could leak, which again defeats the purpose of PFS. The use of server-stored sessions (identified by session ids) is not affected by this and is always safe. Because of this, The Document™ specifies at https://wiki.mozilla.org/Security/Server_Side_TLS#TLS_tickets_.28RFC_5077.29 that support for TLS tickets should be disabled if possible. This patch adds the relevant config options. Note that Apache only supports this setting since 2.2.30 when used with OpenSSL >= 0.9.8f - http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslsessiontickets Some versions of HAProxy (i.e >= 1.6-dev2 allow to set the key via the stats socket. This however requires custom scripts and good maintenance on the side of the operator. A safe default in any case is to disable session tickets.
* | | Update index.htmlJulien Vehent2015-10-181-1/+2
| | |
* | | Improved "see also" sectionJulien Vehent2015-10-181-1/+7
|/ /
* | Add ECDHE-3DES ciphers to intermediate level in generatororigin/ecdhe-3des-intermediateJulien Vehent2015-08-281-1/+1
| |
* | Adding google analyticsGene Wood2015-08-121-0/+9
| |
* | Update nginx version listGene Wood2015-08-111-1/+1
|/ | | | Fixes #60
* Bump maxDHKeySize to 2048 for intermediate profileHolger Just2015-07-091-1/+1
| | | In version 3.6 of the Server Side TLS document, the DH size in the intermediate was bumped to 2048 bits. With ECDHE available in the cipher list, even Java 7 should be able to connect. See https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_and_Java for more information.
* Change some links to use HTTPSnextPrime2015-05-221-3/+3
| | | aws.amazon.com and en.wikipedia.org support HTTPS. So update these links to: https://aws.amazon.com/cloudformation/, https://aws.amazon.com/elasticloadbalancing/, and https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security.
* Change HSTS header setting in ApachenextPrime2015-04-161-1/+1
| | | Is it better to use "Header always set Strict-Transport-Security" than "Header always add Strict-Transport-Security", in order to prevent adding duplicate HSTS headers?
* Adding a description to the AWS ELB configGene Wood2015-04-161-0/+4
|
* Merge branch 'gh-pages' into tooltip-uiGene Wood2015-04-162-5/+187
|\
| * Merge pull request #55 from mozilla/ELB-templatesGene Wood2015-04-162-4/+186
| |\ | | | | | | Adding ELB template generation
| | * Adding ELB template generationGene Wood2015-04-162-4/+186
| | |
| * | Clarifying HAProxy error messageGene Wood2015-04-161-1/+1
| |/
* | Enable cross browser tooltip with jquery tooltipGene Wood2015-04-161-0/+4
|/ | | | | This fixes Safari not seeing the tooltip This doesn't solve mobile devices not being able to mouseover
* Fixing typo bug of no ciphersuites shownGene Wood2015-04-151-3/+3
|
* Adding autocomplete versionsGene Wood2015-04-151-1/+16
| | | | | This autocomplete allows for typing in values not present in the list which should accommodate new web server and openssl versions that come out over time Fixes #39
* Fixing mixed whitespaceGene Wood2015-04-151-92/+97
| | | | Fixing permalink when fallbackprofile is used
* Adding check for apache<2.4.0Gene Wood2015-04-151-52/+86
| | | | | | Restructuring profile data Changing default profile to intermediate Fixes #37
* Merge pull request #47 from mozilla/dh-param-for-old-profileJulien Vehent2015-04-141-1/+9
|\ | | | | Max DH Key size is constrained by Java support
| * Max DH Key size is constrained by Java supportGene Wood2015-04-131-1/+9
| | | | | | | | Fixes #31
* | Change ssl_session_timeout to improve performanceGene Wood2015-04-131-1/+1
| | | | | | | | | | This is recommended here : https://docs.google.com/presentation/d/1BH9DI1XlmukCzU2i8OvxLIfgQf_aGlZgZyvWDSyYyzs/present?slide=id.g41fa27ab0_4_18 Relates to PR #24
* | Merge branch 'gh-pages' into remove-sslv2-apache-after-2.3.16Gene Wood2015-04-131-11/+11
|\ \
| * \ Merge branch 'gh-pages' into add-defaults-to-query-link-lookupGene Wood2015-04-131-1/+14
| |\ \ | | | | | | | | | | | | | | | | # Conflicts: # ssl-config-generator/index.html
| * | | Moving defaults to loadFromQueryString and improving input validationGene Wood2015-04-131-11/+11
| | |/ | |/|
* | | Fix UI : Disable modern profile even if another profile is selectedGene Wood2015-04-131-5/+9
| | |
* | | Remove sslv2 if the apache version is >= 2.3.16Gene Wood2015-04-131-1/+5
| |/ |/|
* | Merge pull request #46 from mozilla/no-modern-for-old-opensslGene Wood2015-04-131-3/+16
|\ \ | |/ |/| Adding new semver test for OpenSSL grammar and code to disable `modern` profile for old versions of OpenSSL
| * Adding comment about the different semver functionsGene Wood2015-04-131-1/+2
| | | | | | | | Adding detail to message about modern profile being unavailable
| * Adding new semver test for OpenSSL grammar and code to disable `modern` ↵Gene Wood2015-04-131-3/+15
| | | | | | | | | | | | | | profile for old versions of OpenSSL Setting more common default values for Apache and OpenSSL Resolves #26
* | Merge pull request #27 from mozilla/fix-SSLCertificateChainFileGene Wood2015-04-131-2/+7
|\ \ | | | | | | Conditionally displays SSLCertificateChainFile based on Apache version
| * | Conditionally displays SSLCertificateChainFile based on Apache versionGene Wood2015-02-261-2/+7
| | | | | | | | | | | | Resolves Issue #21
* | | Merge pull request #23 from MendelGusmao/permalinksJulien Vehent2015-03-151-4/+35
|\ \ \ | |_|/ |/| | Implement 'permalinks'
| * | Implement 'permalinks'MendelGusmao2015-02-021-5/+36
| |/
* | Fixing my overzealous html cleanup so empty divs are validGene Wood2015-02-261-2/+2
| |
* | Fixing missing semi-colons and invalid input htmlGene Wood2015-02-261-17/+17
|/
* Moving link to github to the bottom of the pageGene Wood2014-12-111-2/+1
| | | | Resolves #18
* Fixing broken responsive gridsGene Wood2014-11-181-2/+0
|
* Fixing bad escaping for HAProxy HSTS header based on PR #11Gene Wood2014-11-181-1/+1
|
* Fixed styling copy paste mistakes and formatting based on PR #11Gene Wood2014-11-181-9/+13
| | | | Added tabzilla
* Setting HSTS, when enabled, to always serve the header under Apache, even in ↵Gene Wood2014-11-181-1/+1
| | | | | | error pages and redirects. Resolves #16
* Adding comments about required modules for HSTS as well as a translation of ↵Gene Wood2014-11-181-3/+3
| | | | | | seconds to months Resolves #15
* This modifies PR #13 a bit so that nginx installations older than 0.7.14 ↵Gene Wood2014-11-181-1/+7
| | | | | | work correctly as the per `listen` directive ssl arguments weren't available at that point. Relates to Issue #12
* Adding a redirect to the https version of the site if it's accessed via httpGene Wood2014-11-181-0/+4
| | | | Resolves #14
* Replace deprecated nginx 'ssl' directive with listen 'ssl' parameterBastien Traverse2014-11-091-2/+1
|
* Adding a list of the oldest compatible clients for each profileGene Wood2014-11-051-2/+12
| | | | Resolves #2
* Make the code block text not spill outsideGene Wood2014-11-051-0/+3
| | | Resolves #6
* minor ordering fixes to the modern and intermediate ciphersuitesJulien Vehent2014-10-291-2/+2
|
* Move the `ssl_trusted_certificate` directive from the apache config to the ↵Gene Wood2014-10-211-9/+8
| | | | | | nginx config. Fixes #1
* Moving ocspServerConfig outside VirtualHost to server configGene Wood2014-10-201-1/+3
| | | | http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstaplingcache
* Add a link to the github repoGene Wood2014-10-181-0/+1
|
* cleanup fonts and add a link to the wikiGene Wood2014-10-181-9/+11
|
* initial github pages commit of ssl-config-generatorGene Wood2014-10-181-0/+254
generated by cgit v1.1 at 2025-05-10 22:20:38 +0000