{"id":7379,"date":"2018-05-05T20:55:21","date_gmt":"2018-05-05T12:55:21","guid":{"rendered":"http:\/\/rmohan.com\/?p=7379"},"modified":"2018-05-05T20:55:47","modified_gmt":"2018-05-05T12:55:47","slug":"7379","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=7379","title":{"rendered":"Cipher type 2018"},"content":{"rendered":"<div class=\"col-md-4 column\">\n<h2>Apache<\/h2>\n<pre id=\"apacheconfig\" class=\"pre-trans\">SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\r\nSSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1\r\nSSLHonorCipherOrder On\r\nHeader always set Strict-Transport-Security \"max-age=63072000; <i>includeSubDomains<\/i>; preload\"\r\nHeader always set X-Frame-Options DENY\r\nHeader always set X-Content-Type-Options nosniff\r\n# Requires Apache &gt;= 2.4\r\nSSLCompression off\r\nSSLUseStapling on\r\nSSLStaplingCache \"shmcb:logs\/stapling-cache(150000)\"\r\n# Requires Apache &gt;= 2.4.11\r\nSSLSessionTickets Off\r\n<\/pre>\n<\/div>\n<div class=\"col-md-4 column\">\n<h2>nginx<\/h2>\n<pre id=\"nginxconfig\" class=\"pre-trans\">ssl_protocols TLSv1.3;# Requires nginx &gt;= 1.13.0 else use TLSv1.2\r\nssl_prefer_server_ciphers on; \r\nssl_dhparam \/etc\/nginx\/dhparam.pem; # openssl dhparam -out \/etc\/nginx\/dhparam.pem 4096\r\nssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;\r\nssl_ecdh_curve secp384r1; # Requires nginx &gt;= 1.1.0\r\nssl_session_timeout  10m;\r\nssl_session_cache shared:SSL:10m;\r\nssl_session_tickets off; # Requires nginx &gt;= 1.5.9\r\nssl_stapling on; # Requires nginx &gt;= 1.3.7\r\nssl_stapling_verify on; # Requires nginx =&gt; 1.3.7\r\nresolver <i>$DNS-IP-1 $DNS-IP-2<\/i> valid=300s;\r\nresolver_timeout 5s; \r\nadd_header Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\";\r\nadd_header X-Frame-Options DENY;\r\nadd_header X-Content-Type-Options nosniff;\r\nadd_header X-XSS-Protection \"1; mode=block\";\r\nadd_header X-Robots-Tag none; \r\n<\/pre>\n<\/div>\n<div class=\"col-md-4 column\">\n<h2>Lighttpd<\/h2>\n<pre class=\"pre-trans\">ssl.honor-cipher-order = \"enable\"\r\nssl.cipher-list = \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\"\r\nssl.use-compression = \"disable\"\r\nsetenv.add-response-header = (\r\n    \"Strict-Transport-Security\" =&gt; \"max-age=63072000; <i>includeSubDomains<\/i>; preload\",\r\n    \"X-Frame-Options\" =&gt; \"DENY\",\r\n    \"X-Content-Type-Options\" =&gt; \"nosniff\"\r\n)\r\nssl.use-sslv2 = \"disable\"\r\nssl.use-sslv3 = \"disable\"\r\n<\/pre>\n<h2>Warning<\/h2>\n<pre class=\"pre-trans\">These examples are meant for sysadmins who have done this before (and sysadmins are forced to support Windows XP with IE &lt; 9, therefore des3cbc), as an easily copy-pastable example, not for newbies who have no idea what all this means. The settings are very secure, but if you don't know what you are doing might make your website and subdomains\u00a0<strong>unavailable for a long, long time<\/strong>\u00a0(see\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/HTTP_Strict_Transport_Security\">HSTS<\/a>). Research what you are doing and think before you act. Hier niet poepen zegmaar.\u00a0\r\n<strong>Other suggestions<\/strong><\/pre>\n<ul>\n<li>sha256 certificates<\/li>\n<li>4096-bit private key<\/li>\n<li>&gt;2048 DH Pool size &#8211;\n<pre>openssl dhparam -out dhparams.pem 4096<\/pre>\n<\/li>\n<\/ul>\n<div class=\"row\">\n<div class=\"col-md-10 col-md-offset-1\">\n<h2>Other Software<\/h2>\n<p><a href=\"https:\/\/github.com\/RaymiiOrg\/cipherli.st\">Pull requests for other software welcome<\/a><\/p>\n<div class=\"col-md-6 column\">\n<h2>haproxy<\/h2>\n<pre id=\"haproxyconfig\" class=\"pre-trans\">global\r\n   ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12\r\n   ssl-default-bind-ciphers AES128+EECDH:AES128+EDH\r\n\r\nfrontend http-in\r\n      mode http\r\n      option httplog\r\n      option forwardfor\r\n      option http-server-close\r\n      option httpclose\r\n      bind 192.0.2.10:80\r\n      redirect scheme https code 301 if !{ ssl_fc }\r\n\r\nfrontend https-in\r\n    option httplog\r\n    option forwardfor\r\n    option http-server-close\r\n    option httpclose\r\n    rspadd Strict-Transport-Security:\\ max-age=31536000;\\ includeSubDomains;\\ preload\r\n    rspadd X-Frame-Options:\\ DENY\r\n    bind 192.0.2.10:443 ssl crt \/etc\/haproxy\/haproxy.pem ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-sslv3\r\n<\/pre>\n<\/div>\n<div class=\"col-md-6 column\">\n<h2>Postfix<\/h2>\n<pre id=\"postfixconfig\" class=\"pre-trans\">smtpd_use_tls=yes\r\nsmtpd_tls_security_level = may\r\nsmtpd_tls_auth_only = yes\r\nsmtpd_tls_cert_file=\/etc\/ssl\/postfix.cert\r\nsmtpd_tls_key_file=\/etc\/ssl\/postfix.key\r\nsmtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1\r\nsmtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1\r\nsmtpd_tls_mandatory_ciphers = medium\r\ntls_medium_cipherlist = AES128+EECDH:AES128+EDH\r\n<\/pre>\n<\/div>\n<div class=\"col-md-6 column\">\n<h2>Exim<\/h2>\n<pre id=\"eximconfig\" class=\"pre-trans\">tls_certificate = \/etc\/exim.cert\r\ntls_privatekey = \/etc\/exim.key\r\ntls_advertise_hosts = *\r\ntls_require_ciphers = AES128+EECDH:AES128+EDH\r\nopenssl_options = +no_sslv2 +no_sslv3\r\n<\/pre>\n<\/div>\n<hr \/>\n<\/div>\n<\/div>\n<div class=\"row\">\n<div class=\"col-md-10 col-md-offset-1\">\n<div class=\"col-md-6 column\">\n<h2>ProFTPd<\/h2>\n<pre id=\"proftpdconfig\" class=\"pre-trans\">TLSEngine on\r\nTLSLog \/var\/ftpd\/tls.log\r\nTLSProtocol TLSv1.2\r\nTLSRequired on\r\nTLSCipherSuite AES128+EECDH:AES128+EDH\r\nTLSRSACertificateFile \/etc\/proftpd.cert\r\nTLSRSACertificateKeyFile \/etc\/proftpd.key\r\n<\/pre>\n<\/div>\n<div class=\"col-md-6 column\">\n<h2>Dovecot<\/h2>\n<pre id=\"dovecotconfig\" class=\"pre-trans\">ssl = yes\r\nssl_cert = &lt;\/etc\/dovecot.cert\r\nssl_key = &lt;\/etc\/dovecot.key\r\nssl_protocols = !SSLv2 !SSLv3\r\nssl_cipher_list = AES128+EECDH:AES128+EDH\r\nssl_prefer_server_ciphers = yes # &gt;Dovecot 2.2.6\r\nssl_dh_parameters_length = 4096 # &gt;Dovecot 2.2\r\n<\/pre>\n<\/div>\n<div class=\"col-md-6 column\">\n<h2>Hitch TLS Proxy<\/h2>\n<pre id=\"hitchconfig\" class=\"pre-trans\">ciphers = \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\"\r\nprefer-server-ciphers = on\r\n<\/pre>\n<\/div>\n<div class=\"col-md-6 column\">\n<h2>Zarafa<\/h2>\n<p>These settings can be set in \/etc\/zarafa\/server.cfg and gateway.cfg.<\/p>\n<h3>Medium security<\/h3>\n<pre id=\"zarafaconfig\" class=\"pre-trans\">server_ssl_protocols = !SSLv2 !SSLv3\r\nserver_ssl_ciphers = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL\r\nserver_ssl_prefer_server_ciphers = yes or no\r\n<\/pre>\n<h3>High security<\/h3>\n<pre id=\"zarafahighconfig\" class=\"pre-trans\">server_ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1  # &gt;= Debian 7 \/ CentOS 7\r\nserver_ssl_ciphers = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS\r\nserver_ssl_prefer_server_ciphers = yes or no\r\n<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"row\">\n<div class=\"col-md-10 col-md-offset-1\">\n<div class=\"col-md-6 column\">\n<h2>MySQL<\/h2>\n<pre id=\"mysqlconfig\" class=\"pre-trans\">[mysqld]\r\nssl-ca=\/etc\/mysql-ssl\/ca-cert.pem\r\nssl-cert=\/etc\/mysql-ssl\/server-cert.pem\r\nssl-key=\/etc\/mysql-ssl\/server-key.pem\r\nssl-cipher=AES128+EECDH:AES128+EDH\r\n# replication:\r\nGRANT REPLICATION SLAVE ON *.* to \u2018repl\u2019@\u2019%\u2019 REQUIRE SSL;\r\nSTOP SLAVE;\r\nCHANGE MASTER MASTER_SSL=1,\r\nMASTER_SSL_CA=\u2019\/etc\/mysql-ssl\/ca-cert.pem\u2019,\r\nMASTER_SSL_CERT=\u2019\/etc\/mysql-ssl\/client-cert.pem\u2019,\r\nMASTER_SSL_KEY=\u2019\/etc\/mysql-ssl\/client-key.pem';\r\nSHOW SLAVE STATUS\\G;\r\nSTART SLAVE;\r\nSHOW SLAVE STATUS\\G;\r\n<\/pre>\n<\/div>\n<div class=\"col-md-6 column\">\n<h2>DirectAdmin<\/h2>\n<pre id=\"directadminconfig\" class=\"pre-trans\">ssl_cipher=AES128+EECDH:AES128+EDH\r\nSSL=1\r\ncacert=\/usr\/local\/directadmin\/conf\/cacert.pem\r\ncakey=\/usr\/local\/directadmin\/conf\/cakey.pem\r\ncarootcert=\/usr\/local\/directadmin\/conf\/carootcert.pem\r\n<\/pre>\n<\/div>\n<div class=\"col-md-6 column\">\n<h2>Postgresql<\/h2>\n<pre id=\"postgresconfig\" class=\"pre-trans\">ssl = on\r\nssl_ciphers = 'AES128+EECDH:AES128+EDH'\r\npassword_encryption = on\r\n<\/pre>\n<\/div>\n<div class=\"col-md-6 column\">\n<h2><a href=\"https:\/\/stribika.github.io\/2015\/01\/04\/secure-secure-shell.html\">OpenSSH Server<\/a><\/h2>\n<pre id=\"sshdconfig\" class=\"pre-trans\">Protocol 2\r\nHostKey \/etc\/ssh\/ssh_host_ed25519_key\r\nHostKey \/etc\/ssh\/ssh_host_rsa_key\r\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\r\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\r\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\r\n<\/pre>\n<\/div>\n<div class=\"col-md-6 column\">\n<h2><a href=\"https:\/\/stribika.github.io\/2015\/01\/04\/secure-secure-shell.html\">OpenSSH Client<\/a><\/h2>\n<pre id=\"sshconfig\" class=\"pre-trans\">HashKnownHosts yes\r\nHost github.com\r\n    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512\r\nHost *\r\n  ConnectTimeout 30\r\n  KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\r\n  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\r\n  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\r\n  ServerAliveInterval 10\r\n  ControlMaster auto\r\n  ControlPersist yes\r\n  ControlPath ~\/.ssh\/socket-%r@%h:%p<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p> Apache SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On Header always set Strict-Transport-Security &#8220;max-age=63072000; includeSubDomains; preload&#8221; Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache &gt;= 2.4 SSLCompression off SSLUseStapling on SSLStaplingCache &#8220;shmcb:logs\/stapling-cache(150000)&#8221; # Requires Apache &gt;= 2.4.11 SSLSessionTickets Off nginx ssl_protocols TLSv1.3;# Requires nginx &gt;= 1.13.0 else [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7379"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7379"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7379\/revisions"}],"predecessor-version":[{"id":7381,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7379\/revisions\/7381"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7379"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}