-
Notifications
You must be signed in to change notification settings - Fork 142
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
V4: updated ciphersuites, publish guidelines as JSON
This commit is the result of several months of discussions and maturation. It represents the state of the art in TLS configurations. It has been rebased, but the history is shown below and can be read at: #97 - V4: updated levels, added JSON - Remove DHE from modern, add ChaCha20 - prefer aes256 in modern, add ecdh size parameter - Remove TLSv1.1 from modern level - Prefer AES256-GCM to ChaCha20 in modern configuration - Recommend ECDSAWithSHA384 as cert signature in modern conf - Remove unused document signature - Change recommended curve in Modern to P256 - Convert certificate types, curves and signatures to lists to support multiple acceptable values - readd EDH-RSA-DES-CBC3-SHA to intermediate and old - Add DHE-RSA-AES256-GCM-SHA384 to intermediate level - rename json keys - Revisit old ciphersuites - Update wiki document with latest recommendations and rationales - Add paragraph on certificates switching - Remove configuration samples & cleanup some stuff - reset changes to conf generator
- Loading branch information
Showing
3 changed files
with
1,280 additions
and
1,715 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,146 @@ | ||
| { | ||
| "configurations": { | ||
| "modern": { | ||
| "openssl_ciphersuites": "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256", | ||
| "ciphersuites": [ | ||
| "ECDHE-ECDSA-AES256-GCM-SHA384", | ||
| "ECDHE-RSA-AES256-GCM-SHA384", | ||
| "ECDHE-ECDSA-CHACHA20-POLY1305", | ||
| "ECDHE-RSA-CHACHA20-POLY1305", | ||
| "ECDHE-ECDSA-AES128-GCM-SHA256", | ||
| "ECDHE-RSA-AES128-GCM-SHA256", | ||
| "ECDHE-ECDSA-AES256-SHA384", | ||
| "ECDHE-RSA-AES256-SHA384", | ||
| "ECDHE-ECDSA-AES128-SHA256", | ||
| "ECDHE-RSA-AES128-SHA256" | ||
| ], | ||
| "tls_versions": ["TLSv1.2" ], | ||
| "tls_curves": [ "prime256v1", "secp384r1", "secp521r1" ], | ||
| "certificate_types": ["ecdsa"], | ||
| "certificate_curves": ["prime256v1", "secp384r1", "secp521r1"], | ||
| "certificate_signatures": ["sha256WithRSAEncryption", "ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"], | ||
| "rsa_key_size": 2048, | ||
| "dh_param_size": null, | ||
| "ecdh_param_size": 256, | ||
| "hsts_min_age": 15768000, | ||
| "oldest_clients": [ "Firefox 27", "Chrome 22", "IE 11", "Opera 14", "Safari 7", "Android 4.4", "Java 8", "Windows Vista"] | ||
| }, | ||
| "intermediate": { | ||
| "openssl_ciphersuites": "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS", | ||
| "ciphersuites": [ | ||
| "ECDHE-ECDSA-CHACHA20-POLY1305", | ||
| "ECDHE-RSA-CHACHA20-POLY1305", | ||
| "ECDHE-ECDSA-AES128-GCM-SHA256", | ||
| "ECDHE-RSA-AES128-GCM-SHA256", | ||
| "ECDHE-ECDSA-AES256-GCM-SHA384", | ||
| "ECDHE-RSA-AES256-GCM-SHA384", | ||
| "DHE-RSA-AES128-GCM-SHA256", | ||
| "DHE-RSA-AES256-GCM-SHA384", | ||
| "ECDHE-ECDSA-AES128-SHA256", | ||
| "ECDHE-RSA-AES128-SHA256", | ||
| "ECDHE-ECDSA-AES128-SHA", | ||
| "ECDHE-RSA-AES256-SHA384", | ||
| "ECDHE-RSA-AES128-SHA", | ||
| "ECDHE-ECDSA-AES256-SHA384", | ||
| "ECDHE-ECDSA-AES256-SHA", | ||
| "ECDHE-RSA-AES256-SHA", | ||
| "DHE-RSA-AES128-SHA256", | ||
| "DHE-RSA-AES128-SHA", | ||
| "DHE-RSA-AES256-SHA256", | ||
| "DHE-RSA-AES256-SHA", | ||
| "ECDHE-ECDSA-DES-CBC3-SHA", | ||
| "ECDHE-RSA-DES-CBC3-SHA", | ||
| "EDH-RSA-DES-CBC3-SHA", | ||
| "AES128-GCM-SHA256", | ||
| "AES256-GCM-SHA384", | ||
| "AES128-SHA256", | ||
| "AES256-SHA256", | ||
| "AES128-SHA", | ||
| "AES256-SHA", | ||
| "DES-CBC3-SHA" | ||
| ], | ||
| "tls_versions": ["TLSv1.2", "TLSv1.1", "TLSv1" ], | ||
| "tls_curves": [ "secp256r1", "secp384r1", "secp521r1" ], | ||
| "certificate_types": ["rsa"], | ||
| "certificate_curves": null, | ||
| "certificate_signatures": ["sha256WithRSAEncryption"], | ||
| "rsa_key_size": 2048, | ||
| "dh_param_size": 2048, | ||
| "ecdh_param_size": 256, | ||
| "hsts_min_age": 15768000, | ||
| "oldest_clients": [ "Firefox 1", "Chrome 1", "IE 7", "Opera 5", "Safari 1", "Windows XP IE8", "Android 2.3", "Java 7" ] | ||
| }, | ||
| "old": { | ||
| "openssl_ciphersuites": "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP", | ||
| "ciphersuites": [ | ||
| "ECDHE-ECDSA-CHACHA20-POLY1305", | ||
| "ECDHE-RSA-CHACHA20-POLY1305", | ||
| "ECDHE-RSA-AES128-GCM-SHA256", | ||
| "ECDHE-ECDSA-AES128-GCM-SHA256", | ||
| "ECDHE-RSA-AES256-GCM-SHA384", | ||
| "ECDHE-ECDSA-AES256-GCM-SHA384", | ||
| "DHE-RSA-AES128-GCM-SHA256", | ||
| "DHE-DSS-AES128-GCM-SHA256", | ||
| "DHE-DSS-AES256-GCM-SHA384", | ||
| "DHE-RSA-AES256-GCM-SHA384", | ||
| "ECDHE-RSA-AES128-SHA256", | ||
| "ECDHE-ECDSA-AES128-SHA256", | ||
| "ECDHE-RSA-AES128-SHA", | ||
| "ECDHE-ECDSA-AES128-SHA", | ||
| "ECDHE-RSA-AES256-SHA384", | ||
| "ECDHE-ECDSA-AES256-SHA384", | ||
| "ECDHE-RSA-AES256-SHA", | ||
| "ECDHE-ECDSA-AES256-SHA", | ||
| "DHE-RSA-AES128-SHA256", | ||
| "DHE-RSA-AES128-SHA", | ||
| "DHE-DSS-AES128-SHA256", | ||
| "DHE-RSA-AES256-SHA256", | ||
| "DHE-DSS-AES256-SHA", | ||
| "DHE-RSA-AES256-SHA", | ||
| "ECDHE-RSA-DES-CBC3-SHA", | ||
| "ECDHE-ECDSA-DES-CBC3-SHA", | ||
| "EDH-RSA-DES-CBC3-SHA", | ||
| "AES128-GCM-SHA256", | ||
| "AES256-GCM-SHA384", | ||
| "AES128-SHA256", | ||
| "AES256-SHA256", | ||
| "AES128-SHA", | ||
| "AES256-SHA", | ||
| "DHE-DSS-AES256-SHA256", | ||
| "DHE-DSS-AES128-SHA", | ||
| "DES-CBC3-SHA", | ||
| "DHE-RSA-CHACHA20-POLY1305", | ||
| "ECDHE-RSA-CAMELLIA256-SHA384", | ||
| "ECDHE-ECDSA-CAMELLIA256-SHA384", | ||
| "DHE-RSA-CAMELLIA256-SHA256", | ||
| "DHE-DSS-CAMELLIA256-SHA256", | ||
| "DHE-RSA-CAMELLIA256-SHA", | ||
| "DHE-DSS-CAMELLIA256-SHA", | ||
| "CAMELLIA256-SHA256", | ||
| "CAMELLIA256-SHA", | ||
| "ECDHE-RSA-CAMELLIA128-SHA256", | ||
| "ECDHE-ECDSA-CAMELLIA128-SHA256", | ||
| "DHE-RSA-CAMELLIA128-SHA256", | ||
| "DHE-DSS-CAMELLIA128-SHA256", | ||
| "DHE-RSA-CAMELLIA128-SHA", | ||
| "DHE-DSS-CAMELLIA128-SHA", | ||
| "CAMELLIA128-SHA256", | ||
| "CAMELLIA128-SHA", | ||
| "DHE-RSA-SEED-SHA", | ||
| "DHE-DSS-SEED-SHA", | ||
| "SEED-SHA" | ||
| ], | ||
| "tls_versions": ["TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3" ], | ||
| "tls_curves": [ "secp256r1", "secp384r1", "secp521r1" ], | ||
| "certificate_types": ["rsa"], | ||
| "certificate_curves": null, | ||
| "certificate_signatures": ["sha1WithRSAEncryption"], | ||
| "rsa_key_size": 2048, | ||
| "dh_param_size": 1024, | ||
| "ecdh_param_size": 160, | ||
| "hsts_min_age": 15768000, | ||
| "oldest_clients": [ "Firefox 1", "Chrome 1", "Windows XP IE 6", "Opera 4", "Safari 1", "Java 6" ] | ||
| } | ||
| }, | ||
| "version": 4.0 | ||
| } |
Oops, something went wrong.