forked from RaymiiOrg/cipherli.st
-
Notifications
You must be signed in to change notification settings - Fork 7
/
index.html
executable file
·497 lines (449 loc) · 23.2 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
<!DOCTYPE html>
<html lang="en" itemscope itemtype="http://schema.org/Article">
<head>
<meta property="og:image" content="https://cipherlist.eu/img/favicon.png">
<meta property="og:title" content="Cipherlist.eu - Strong ciphers for Apache, nginx and Lighttpd">
<meta property="og:type" content="website">
<meta property="og:url" content="https://cipherlist.eu/">
<meta charset="utf-8">
<title>Cipherlist.eu - Strong Ciphers for Apache, nginx and Lighttpd</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="Cipherlist.eu - Strong ciphers for Apache, nginx and Lighttpd">
<meta name="author" content="Remy van Elst">
<link rel="apple-touch-icon" href="img/favicon.png" />
<link rel="apple-touch-icon-precomposed" href="img/favicon.png" />
<link href="img/favicon.png" rel="icon" type="image/png" >
<link href="css/bootstrap.min.css" rel="stylesheet">
<link href="css/style.css" rel="stylesheet">
<script type="text/javascript" language="javascript">
function oldCrap() {
document.getElementById("apacheconfig").innerHTML = 'SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 \n';
document.getElementById("apacheconfig").innerHTML += 'SSLProtocol All -SSLv2 -SSLv3\n';
document.getElementById("apacheconfig").innerHTML += 'SSLHonorCipherOrder On\n';
document.getElementById("apacheconfig").innerHTML += 'Header always set Strict-Transport-Security "max-age=63072000; <i>includeSubdomains</i>; preload"\n';
document.getElementById("apacheconfig").innerHTML += 'Header always set X-Frame-Options DENY\n';
document.getElementById("apacheconfig").innerHTML += 'Header always set X-Content-Type-Options nosniff\n';
document.getElementById("apacheconfig").innerHTML += '# Requires Apache >= 2.4 \n';
document.getElementById("apacheconfig").innerHTML += 'SSLCompression off\n';
document.getElementById("apacheconfig").innerHTML += 'SSLSessionTickets Off \n';
document.getElementById("apacheconfig").innerHTML += 'SSLUseStapling on \n';
document.getElementById("apacheconfig").innerHTML += 'SSLStaplingCache "shmcb:logs/stapling-cache(150000)\"\n';
document.getElementById("nginxconfig").innerHTML = 'ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";\n';
document.getElementById("nginxconfig").innerHTML += 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n';
document.getElementById("nginxconfig").innerHTML += 'ssl_prefer_server_ciphers on;\n';
document.getElementById("nginxconfig").innerHTML += 'ssl_session_cache shared:SSL:10m;\n';
document.getElementById("nginxconfig").innerHTML += '# \'always\' requires nginx >= 1.7.5, see http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header\n'
document.getElementById("nginxconfig").innerHTML += 'add_header Strict-Transport-Security "max-age=63072000; <i>includeSubdomains</i>; preload" always;\n';
document.getElementById("nginxconfig").innerHTML += 'add_header X-Frame-Options DENY always;\n';
document.getElementById("nginxconfig").innerHTML += 'add_header X-Content-Type-Options nosniff always;\n';
document.getElementById("nginxconfig").innerHTML += 'ssl_session_tickets off;\n';
document.getElementById("nginxconfig").innerHTML += 'ssl_stapling on; # Requires nginx >= 1.3.7\n';
document.getElementById("nginxconfig").innerHTML += 'ssl_stapling_verify on; # Requires nginx >= 1.3.7\n';
document.getElementById("nginxconfig").innerHTML += 'resolver <i>$DNS-IP-1 $DNS-IP-2</i> valid=300s;\n';
document.getElementById("nginxconfig").innerHTML += 'resolver_timeout 5s;\n';
document.getElementById("lighttpdconfig").innerHTML = 'ssl.honor-cipher-order = "enable"\n';
document.getElementById("lighttpdconfig").innerHTML += 'ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"\n';
document.getElementById("lighttpdconfig").innerHTML += 'ssl.use-compression = "disable"\n';
document.getElementById("lighttpdconfig").innerHTML += 'setenv.add-response-header = (\n "Strict-Transport-Security" => "max-age=63072000; <i>includeSubDomains</i>; preload",\n "X-Frame-Options" => "DENY",\n "X-Content-Type-Options" => "nosniff"\n)\n';
document.getElementById("lighttpdconfig").innerHTML += 'ssl.use-sslv2 = "disable"\n';
document.getElementById("lighttpdconfig").innerHTML += 'ssl.use-sslv3 = "disable"\n';
document.getElementById("oldcrap").innerHTML = '\n<br><a onclick="location.reload(true); return false;">Give me the other settings</a>\n';
}
</script>
</head>
<body>
<a id="top-of-page"></a>
<div class="container-fluid ">
<div class="row"><div class="col-md-10 col-md-offset-1">
<div class="page-header" >
<h1>
<img class="pull-left" src="img/lock.png" width="50" height="70" alt="Cute" /><br />Cipherlist.eu
<small>Strong Ciphers for Apache, nginx and Lighttpd</small>
</h1>
</div>
<div class="col-md-4 column">
<h2>Apache</h2>
<pre class="pre-trans" id="apacheconfig">
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; <i>includeSubDomains</i>; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
</pre>
<br />
</div>
<div class="col-md-4 column">
<h2>nginx</h2>
<pre class="pre-trans" id="nginxconfig">
ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM;
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256;
ssl_conf_command Options PrioritizeChaCha;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver <i>$DNS-IP-1 $DNS-IP-2</i> valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
</pre><br />
</div>
<div class="col-md-4 column">
<h2>Lighttpd</h2>
<pre class="pre-trans" id="lighttpdconfig">
var.response_header_policy = (
"strict-transport-security" => "max-age=63072000; includeSubDomains; preload",
"content-security-policy" => "default-src https:",
"x-frame-options" => "DENY",
"x-content-type-options" => "nosniff",
"x-xss-protection" => "1; mode=block",
"permissions-policy" => "interest-cohort=()"
)
setenv.set-response-header += var.response_header_policy
</pre><br />
</div>
</div>
</div>
<div class="col-md-10 col-md-offset-1">
<div class="col-md-4 column">
<a href="https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html">Rationale and tutorial on Strong SSL Security on Apache</a>
</div>
<div class="col-md-4 column">
<a href="https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html">Rationale and tutorial on Strong SSL Security on nginx</a>
</div>
<div class="col-md-4 column">
<a href="https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html">Rationale and tutorial on Strong SSL Security on Lighttpd</a><br />
<a href="https://wiki.lighttpd.net/Docs_SSL">Lighttpd TLS documentation</a>
</div>
</div>
<div class="col-md-10 col-md-offset-1" id="oldcrap">
<br >
<p>Do you need to (or are forced to) support old / legacy software like IE < 11, Android < 4.4 or Java < 8? <a href="#" onclick="JavaScript:oldCrap(); return false;">Yes, give me a ciphersuite that works with legacy / old software.</a></p>
</div>
<div class="col-md-10 col-md-offset-1">
<p><a href="https://ssldecoder.eu/"><h3>Test your SSL config</h3></a>.</p>
<h2>Warning</h2>
These examples are meant for sysadmins who have done this before (and sysadmins are forced to support Windows XP with IE < 9, therefore des3cbc), as an easily copy-pastable example, not for newbies who have no idea what all this means. The settings are very secure, but if you don't know what you are doing might make your website and subdomains <strong>unavailable for a long, long time</strong> (see <a href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security">HSTS</a>). Research what you are doing and think before you act.<br />
<strong>Other suggestions</strong>
<ul>
<li>sha256 certificates</li>
<li>4096-bit private key</li>
<li>>2048 DH Pool size - <pre>openssl dhparam -out dhparams.pem 4096</pre></code></pre></li>
<li><a href="https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html">HTTP Public Key Pinning</a></a></li>
</ul>
<h2>Why?</h2>
<a href="https://www.ssllabs.com/ssltest/analyze.html?d=cipherlist.eu"><img src="img/a-plus.png" alt="A+ JAAAAAAAAAA" class="pull-right"/></a>
The above ciphers are Copy Pastable in your nginx, Lighttpd or Apache config. These provide Strong SSL Security for all modern browsers, plus you get an A+ on the <a href="https://www.ssllabs.com/ssltest/analyze.html?d=cipherlist.eu">SSL Labs Test</a>. In short, they set a strong Forward Secrecy enabled ciphersuite, they disable SSLv2, SSLv3, TLSv1, TLSv1.1, they add HTTP Strict Transport Security and X-Frame-Deny headers and they enable OCSP Stapling. (Lighttpd 1.4.56 and later supports OCSP Stapling with additional config option <code>ssl.stapling-file</code>).
<br />Using IIS? Check out <a href="https://www.nartac.com/Products/IISCrypto/Default.aspx">IIS Crypto</a>. Other software like Zeus, Tomcat? Detailed info? Read the <a href="https://wiki.mozilla.org/Security/Server_Side_TLS">Mozilla Page</a>.
<br />Cipherlist.eu is made by <a href="https://raymii.org">Remy van Elst (Raymii.org)</a> & <a href="http://tnx.nl">Juerd</a> (not the server admin, suggestions to Remy or as pull request) after the idea spawned at a <a href="https://privacycafe.nl/">Privacy Cafe</a> at <a href="https://revspace.nl">Revspace</a>.
The image is Public Domain from <a href="https://commons.wikimedia.org/wiki/File:Heart-padlock.svg">here</a>.
Feedback <a href="https://github.com/revspace/cipherlist.eu/issues">here please</a>. Source code <a href="https://github.com/revspace/cipherlist.eu" >here</a>.
<div class="row" style="clear: both;">
<div class="col-md-4 column">
<h3>Tweet</h3>
<a href="https://twitter.com/share" class="twitter-share-button" data-url="https://cipherlist.eu" data-text="Enable strong SSL Security on your site with Cipherlist.eu " data-size="large" data-count="none" data-hashtags="cipherlist" data-dnt="true">Tweet</a>
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
</div>
<div class="col-md-4 column">
<h3>Facebook</h3>
<a href="https://www.facebook.com/sharer.php?u=https://cipherlist.eu">
<img src="img/dislike.png" width="150" height="80" alt="dislike this on facebook" />
</a>
</div>
</div>
<hr />
</div>
</div>
<div class="row">
<div class="col-md-10 col-md-offset-1">
<h2>Other Software</h2>
<p><a href="https://github.com/revspace/cipherlist.eu">Pull requests for other software welcome</a></p>
<div class="col-md-6 column">
<h2>haproxy 2.x</h2>
<pre class="pre-trans" id="haproxyconfig">
global
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM
tune.ssl.default-dh-param 2048
frontend http-in
mode http
option httplog
option forwardfor
option http-server-close
option httpclose
bind $YOUR_IP:80
redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
option httplog
option forwardfor
option http-server-close
option httpclose
http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
http-response add-header X-Frame-Options DENY
bind $YOUR_IP:443 ssl crt /etc/haproxy/haproxy.pem curves X25519:secp521r1:secp384r1:prime256v1 ciphers EECDH+AESGCM:EDH+AESGCM no-sslv3 no-tlsv10 no-tlsv11
</pre>
<br />
</div>
<div class="col-md-6 column">
<h2>Postfix</h2>
<pre class="pre-trans" id="postfixconfig">
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/postfix.cert
smtpd_tls_key_file = /etc/ssl/postfix.key
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM
tls_preempt_cipherlist = yes
</pre>
<br />
</div>
<div class="col-md-6 column">
<h2>Exim</h2>
<pre class="pre-trans" id="eximconfig">
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
tls_advertise_hosts = *
tls_require_ciphers = EECDH+AESGCM:EDH+AESGCM
openssl_options = +no_sslv2 +no_sslv3
</pre>
<br />
</div>
<hr>
</div>
</div>
<div class="row">
<div class="col-md-10 col-md-offset-1">
<div class="col-md-6 column">
<h2>ProFTPd</h2>
<pre class="pre-trans" id="proftpdconfig">
TLSEngine on
TLSLog /var/ftpd/tls.log
TLSProtocol TLSv1.2
TLSRequired on
TLSCipherSuite EECDH+AESGCM:EDH+AESGCM
TLSRSACertificateFile /etc/proftpd.cert
TLSRSACertificateKeyFile /etc/proftpd.key
</pre>
<br />
</div>
<div class="col-md-6 column">
<h2>Dovecot</h2>
<pre class="pre-trans" id="dovecotconfig">
ssl = yes
ssl_cert = </etc/dovecot.cert
ssl_key = </etc/dovecot.key
ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_prefer_server_ciphers = yes
ssl_dh = </etc/dhparam.pem # openssl dhparam -out /etc/dhparam.pem 4096
</pre>
<br />
</div>
</div>
<div class="row">
<div class="col-md-10 col-md-offset-1">
<div class="col-md-6 column">
<h2>Hitch TLS Proxy</h2>
<pre class="pre-trans" id="hitchconfig">
ciphers = "EECDH+AESGCM:EDH+AESGCM"
prefer-server-ciphers = on
</pre>
</div>
<div class="col-md-6 column">
<h2>Cyrus IMAP</h2>
<pre class="pre-trans" id="cyrusconfig">
tls_server_cert: /etc/ssl/private/cyrus.crt
tls_server_key: /etc/ssl/private/cyrus.key
tls_client_ca_file: /etc/ssl/private/intermediate.pem
tls_ciphers: EECDH+AESGCM:EDH+AESGCM
tls_versions: tls1_2
</pre>
</div>
<div class="col-md-6 column">
<h2>Squid Reverse Proxy</h2>
<pre class="pre-trans" id="hitchconfig">https_port 443 accel defaultsite=reverse.example.com vhost \
cert=/etc/pki/tls/certs/star.example.com.crt \
key=/etc/pki/tls/private/star.example.com.key \
cafile=/etc/pki/tls/certs/CA.crt \
options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE,CIPHER_SERVER_PREFERENCE,No_Compression,NO_TICKET \
cipher=ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 \
tls-dh=prime256v1:/etc/pki/tls/certs/dhparams.pem
cache_peer 192.168.0.10 parent 443 0 no-query originserver login=PASS no-digest ssl ssldomain=*.example.com
</pre>
</div>
<div class="col-md-6 column">
<h2>Zarafa</h2>
These settings can be set in /etc/zarafa/server.cfg and gateway.cfg.
<pre class="pre-trans" id="zarafahighconfig">
server_ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 # >= Debian 7 / CentOS 7
server_ssl_ciphers = EECDH+AESGCM:EDH+AESGCM
server_ssl_prefer_server_ciphers = yes or no
</pre>
<br />
</div>
</div>
</div>
<div class="row">
<div class="col-md-10 col-md-offset-1">
<div class="col-md-6 column">
<h2>MySQL</h2>
<pre class="pre-trans" id="mysqlconfig">
[mysqld]
ssl-ca=/etc/mysql-ssl/ca-cert.pem
ssl-cert=/etc/mysql-ssl/server-cert.pem
ssl-key=/etc/mysql-ssl/server-key.pem
ssl-cipher=EECDH+AESGCM:EDH+AESGCM
# replication:
GRANT REPLICATION SLAVE ON *.* to ‘repl’@’%’ REQUIRE SSL;
STOP SLAVE;
CHANGE MASTER MASTER_SSL=1,
MASTER_SSL_CA=’/etc/mysql-ssl/ca-cert.pem’,
MASTER_SSL_CERT=’/etc/mysql-ssl/client-cert.pem’,
MASTER_SSL_KEY=’/etc/mysql-ssl/client-key.pem';
SHOW SLAVE STATUS\G;
START SLAVE;
SHOW SLAVE STATUS\G;
</pre>
<br />
</div>
<div class="col-md-6 column">
<h2>DirectAdmin</h2>
<pre class="pre-trans" id="directadminconfig">
ssl_cipher=EECDH+AESGCM:EDH+AESGCM
SSL=1
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
carootcert=/usr/local/directadmin/conf/carootcert.pem
</pre>
<br />
</div>
<div class="col-md-6 column">
<h2>Postgresql</h2>
<pre class="pre-trans" id="postgresconfig">
ssl = on
ssl_ciphers = 'EECDH+AESGCM:EDH+AESGCM'
password_encryption = on
</pre>
<br />
</div>
<div class="col-md-6 column">
<h2>OpenSSH Server</h2>
<pre class="pre-trans" id="sshdconfig">
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
KexAlgorithms [email protected],curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
</pre>
<br />
</div>
<div class="col-md-6 column">
<h2>OpenSSH Client</h2>
<pre class="pre-trans" id="sshconfig">
HashKnownHosts yes
Host *
ConnectTimeout 30
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
KexAlgorithms [email protected],curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
ServerAliveInterval 10
ControlMaster auto
ControlPersist yes
ControlPath ~/.ssh/socket-%r@%h:%p
</pre>
<br />
</div>
<div class="col-md-6 column">
<h2>Golang Server</h2>
<pre class="pre-trans" id="golang-server">
package main
import (
"crypto/tls"
"log"
"net/http"
)
func main() {
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
w.Write([]byte("This is an example server.\n"))
})
cfg := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
},
}
srv := &http.Server{
Addr: ":443",
Handler: mux,
TLSConfig: cfg,
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
}
log.Fatal(srv.ListenAndServeTLS("tls.crt", "tls.key"))
}
</pre>
<br />
</div>
<div class="col-md-6 column">
<h2>UniFi Controller</h2>
<pre class="pre-trans" id="unifi-controller">
unifi.https.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
unifi.https.sslEnabledProtocols=TLSv1.2
</pre>
<br>
</div>
<div class="col-md-6 column">
<h2>coTURN server</h2>
<pre class="pre-trans" id="coturnconfig">
cipher-list="EECDH+AESGCM:EDH+AESGCM"
ec-curve-name=secp384r1
dh2066
no-tlsv1
no-tlsv1_1
</pre>
<br />
</div>
<div class="col-md-6 column">
<h2>Traefik TLSOptions values.yaml</h2>
<pre class="pre-trans" id="traefik-tlsoptions-values">
tlsOptions:
default:
preferServerCipherSuites: true
cipherSuites:
- EECDH+AESGCM:EDH+AESGCM
minVersion: VersionTLS13
curvePreferences:
- secp384r1
</pre>
<br>
</div>
</body>
</html>