IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-25 16:31:08 -06:00
Code Issues Packages Projects Releases Wiki Activity
74d36a8af6
freeipa/contrib/nssciphersuite
History
Jan Cholasta 0d370a959b pylint: enable the import-error check 
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-24 14:11:08 +02:00
..
nssciphersuite.py pylint: enable the import-error check 2016-10-24 14:11:08 +02:00
README.txt Modernize mod_nss's cipher suites 2016-02-11 10:44:29 +01:00

README.txt 

Cipher suite for mod_nss
------------------------

The nssciphersuite.py script parses mod_nss' nss_engine_cipher.c file and
creates a list of secure cipher suites for TLS. The script filters out
insecure, obsolete and slow ciphers according to some rules.

As of January 2016 and mod_nss 1.0.12 the cipher suite list contains 14
cipher suites for TLS 1.0, 1.1 and 1.2 for RSA and ECDSA certificates. The
cipher suite list also supports Perfect Forward Secrecy with ephemeral ECDH
key exchange. https://www.ssllabs.com/ gives a 'A' grade.

Note:
No suite is compatible with IE 8 and earlier on Windows XP. If you need IE 8
support, append "+rsa_3des_sha" to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA.

# disabled cipher attributes: SSL_3DES, SSL_CAMELLIA, SSL_CAMELLIA128, SSL_CAMELLIA256, SSL_DES, SSL_DSS, SSL_MD5, SSL_RC2, SSL_RC4, SSL_aDSS, SSL_aNULL, SSL_eNULL, SSL_kECDHe, SSL_kECDHr, kECDH
# weak strength: SSL_EXPORT40, SSL_EXPORT56, SSL_LOW, SSL_STRONG_NONE
# enabled cipher suites:
#   TLS_RSA_WITH_AES_128_CBC_SHA256
#   TLS_RSA_WITH_AES_256_CBC_SHA256
#   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
#   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
#   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
#   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
#   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
#   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
#   TLS_RSA_WITH_AES_128_GCM_SHA256
#   TLS_RSA_WITH_AES_128_CBC_SHA
#   TLS_RSA_WITH_AES_256_GCM_SHA384
#   TLS_RSA_WITH_AES_256_CBC_SHA
#

NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha