diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml
index 7e63b4f..db84c92 100644
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml
index 5def282..8e3612a 100644
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml
index 8f59954..555bbe3 100644
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
name: 💙 Generating a PUBLIC Live ISO.
diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
index 11db0dd..40de13c 100644
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
- placeholder: "e.g., Master V9.14.026.2026.06.12"
+ placeholder: "e.g., Master V9.14.026.2026.06.17"
validations:
required: true
diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile
index d91baa8..f838475 100644
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
FROM debian:bookworm
diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml
index 3aa140a..ec016d2 100644
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
name: 🔁 Render README.md to README.html.
diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
index ba81c3e..e47eb9e 100644
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V9.14.026.2026.06.12
+ version: V9.14.026.2026.06.17
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml
index 5b6469d..c2a7357 100644
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V9.14.026.2026.06.12
+ version: V9.14.026.2026.06.17
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml
index 5b6469d..c2a7357 100644
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V9.14.026.2026.06.12
+ version: V9.14.026.2026.06.17
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
index 23a4ea0..493757e 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index 08d827f..77af289 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml
index e4fb3ad..1143bf2 100644
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
name: 💙 Generating a PUBLIC Live ISO.
diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml
index 79a35d9..be846ac 100644
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
# Gitea Workflow: Shell-Script Linting
#
diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml
index faf6631..6453391 100644
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml
index c82522e..fde0816 100644
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
name: 🔁 Render Graphviz Diagrams.
diff --git a/.version.properties b/.version.properties
index 626c251..89576a3 100644
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.026.2026.06.12"
+properties_version="V9.14.026.2026.06.17"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx
index ec70c0c..740eb00 100644
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.026.2026.06.12
+PackageVersion: Master V9.14.026.2026.06.17
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
diff --git a/README.md b/README.md
index 092e58b..8bca016 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
-[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[](https://eupl.eu/1.2/en/)
[](https://opensource.org/license/eupl-1-2)
@@ -27,7 +27,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
**CISS.debian.live.builder — First of its own.**
**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -181,7 +181,7 @@ installer toolchain.
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V9.14.026.2026.06.12`
+Example: `V9.14.026.2026.06.17`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
diff --git a/REPOSITORY.md b/REPOSITORY.md
index f783b6b..37835e5 100644
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder
**Branch:** `master`
-**Repository State:** Master Version **9.14**, Build **V9.14.026.2026.06.12** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.026.2026.06.17** (as of 2025-10-11)
## 3.1. Top-Level Layout
diff --git a/ciss.secureboot/private/README.md b/ciss.secureboot/private/README.md
index 1043ee3..1398519 100644
--- a/ciss.secureboot/private/README.md
+++ b/ciss.secureboot/private/README.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. CISS Secure Boot Private Material
diff --git a/ciss.secureboot/public/README.md b/ciss.secureboot/public/README.md
index 6abe7a6..77b5b5d 100644
--- a/ciss.secureboot/public/README.md
+++ b/ciss.secureboot/public/README.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. CISS Secure Boot Public Material
diff --git a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
index 0953695..01778f5 100644
--- a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
+++ b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
@@ -39,7 +39,7 @@ install -d -m 0755 "${DESTDIR}/usr/sbin"
### Include binaries -----------------------------------------------------------------------------------------------------------
-for bin in bash blkid busybox dd dmsetup gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do
+for bin in awk bash blkid busybox dd dmsetup gawk gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do
path="$(command -v "${bin}" 2>/dev/null || true)"
diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts
index 9ee94e4..baaac68 100644
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config
index 1b9b6ad..efc9427 100644
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
diff --git a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
index 7b7d6f8..324c4f7 100644
--- a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
@@ -11,7 +11,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
index f549b49..b1b8a66 100644
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V9.14.026.2026.06.12"
+declare -gr VERSION="Master V9.14.026.2026.06.17"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then
diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg
index ac1344a..b95d447 100644
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.026.2026.06.12 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.026.2026.06.17 at: 10:18:37.9542
diff --git a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
index 9409406..5da3ad3 100644
--- a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
+++ b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
@@ -25,7 +25,7 @@
# SHA-512 digest and the exact byte length; allocation slack after that SquashFS payload is intentionally out of scope.
# - Panics on missing, malformed, unauthentic, or mismatched evidence.
-set -eu
+# set -eu
PS4='+ 0042(): '
set -x
diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md
index 46dc6db..aa7c967 100644
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. DNSSEC Status
diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md
index 5848f08..5a1efb7 100644
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. Haveged Audit on Netcup RS 2000 G11
diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md
index 86dadd0..6019a39 100644
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. Lynis Audit:
diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md
index 5cb6497..0767d42 100644
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. SSH Audit by ssh-audit.com
diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md
index 4c38b46..d53ea4e 100644
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,15 +8,14 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. TLS Audit:
````text
./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
-
#####################################################################
- testssl.sh version 3.2.2 from https://testssl.sh/
- (2e77f5e 2025-09-22 19:35:27)
+ testssl.sh version 3.2.3 from https://testssl.sh/
+ (0ff7a34 2026-06-01 09:45:44)
This program is free software. Distribution and modification under
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -27,7 +26,7 @@ include_toc: true
Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers]
on kali:./bin/openssl.Linux.x86_64
- Start 2025-09-28 16:12:17 -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Start 2026-06-17 14:44:50 -->> 152.53.110.40:443 (git.coresecret.dev) <<--
Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40
rDNS (152.53.110.40): git.coresecret.dev.
@@ -73,11 +72,11 @@ TLSv1
TLSv1.1
-
TLSv1.2 (server order)
- xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLSv1.3 (server order)
- x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384
- x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
+ x1302 TLS_AES_256_GCM_SHA384 MLKEM1024 AESGCM 256 TLS_AES_256_GCM_SHA384
+ x1303 TLS_CHACHA20_POLY1305_SHA256 MLKEM1024 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
Has server cipher order? yes (OK) -- TLS 1.3 and below
@@ -88,21 +87,21 @@ TLSv1.3 (server order)
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
- x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384 available
- x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 available
+ x1302 TLS_AES_256_GCM_SHA384 MLKEM1024 AESGCM 256 TLS_AES_256_GCM_SHA384 available
+ x1303 TLS_CHACHA20_POLY1305_SHA256 MLKEM1024 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 available
xcc14 ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
xcc15 DHE-RSA-CHACHA20-POLY1305-OLD DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
- xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 available
- xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 not a/v
+ xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not a/v
+ xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 available
xc028 ECDHE-RSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not a/v
xc024 ECDHE-ECDSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 not a/v
xc014 ECDHE-RSA-AES256-SHA ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not a/v
xc00a ECDHE-ECDSA-AES256-SHA ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA not a/v
xa3 DHE-DSS-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 not a/v
x9f DHE-RSA-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 not a/v
- xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
- xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 available
+ xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 available
+ xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
xccaa DHE-RSA-CHACHA20-POLY1305 DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
xc0af ECDHE-ECDSA-AES256-CCM8 ECDH AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 not a/v
xc0ad ECDHE-ECDSA-AES256-CCM ECDH AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM not a/v
@@ -170,9 +169,10 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
xc086 - ECDH CamelliaGCM 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
xc08a - ECDH CamelliaGCM 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
+ KEMs offered MLKEM1024 X25519MLKEM768 SecP384r1MLKEM1024
Elliptic curves offered: secp384r1 secp521r1 X448
- TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224
- TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512
+ TLS 1.2 sig_algs offered: ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA+SHA224
+ TLS 1.3 sig_algs offered: ECDSA+SHA384
Testing server defaults (Server Hello)
@@ -185,33 +185,33 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
TLS clock skew Random values, no fingerprinting possible
Certificate Compression none
Client Authentication none
- Signature Algorithm SHA256 with RSA
- Server key size RSA 4096 bits (exponent is 65537)
- Server key usage Digital Signature, Key Encipherment
- Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
- Serial 13292523EB168BD226CE46 (OK: length 11)
- Fingerprints SHA1 1CCF67686A5FFF33D163EFC9E67AB5C70D1122B8
- SHA256 565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
+ Signature Algorithm ECDSA with SHA256
+ Server key size EC 384 bits (curve P-384)
+ Server key usage Digital Signature
+ Server extended key usage TLS Web Server Authentication
+ Serial 85135AE9A772A9778768548CDED9F483 (OK: length 16)
+ Fingerprints SHA1 7745E895B49A44DA786509D124F7BAEF5BCDE21A
+ SHA256 EBAC1DAD82CFAF97644D2F9A03082DE9ABC2B44AD4C86FE6FA202D3EF7243FE4
Common Name (CN) coresecret.dev
- subjectAltName (SAN) coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
+ subjectAltName (SAN) coresecret.dev badges.coresecret.dev cendev.eu git.coresecret.dev lab.coresecret.dev phpmyadmin.git.coresecret.dev
+ run.coresecret.dev uml.coresecret.dev www.coresecret.dev
Trust (hostname) Ok via SAN (same w/o SNI)
Chain of trust Ok
EV cert (experimental) no
- Certificate Validity (UTC) 178 >= 60 days (2025-09-27 18:27 --> 2026-03-25 22:59)
+ Certificate Validity (UTC) 89 >= 60 days (2026-06-16 00:00 --> 2026-09-14 23:59)
ETS/"eTLS", visibility info not present
- In pwnedkeys.com DB not in database Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
- OCSP URI http://ocsp.buypass.com, not revoked
+ In pwnedkeys.com DB not in database
+ Certificate Revocation List --
+ OCSP URI http://ocsp.sectigo.com, not revoked
OCSP stapling offered, not revoked
- OCSP must staple extension --
+ OCSP must staple extension supported
DNS CAA RR (experimental) available - please check for match with "Issuer" below
- communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl,
- issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
- issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
- issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
+ contactemail=caa@coresecret.eu, iodef=mailto:caa@coresecret.eu, issue=;, issue=certum.pl, issue=letsencrypt.org;,
+ issue=quantumsign.eu;, issue=sectigo.com, issuemail=certum.pl, issuevmc=sectigo.com, issuewild=;
Certificate Transparency yes (certificate extension)
Certificates provided 2
- Issuer Buypass Class 2 CA 5 (Buypass AS-983163327 from NO)
- Intermediate cert validity #1: ok > 40 days (2027-05-23 12:57). Buypass Class 2 CA 5 <-- Buypass Class 2 Root CA
+ Issuer ZeroSSL ECC DV SSL CA 2 (ZeroSSL GmbH from AT)
+ Intermediate cert validity #1: ok > 40 days (2035-09-23 23:59). ZeroSSL ECC DV SSL CA 2 <-- Sectigo Public Server Authentication Root E46
Intermediate Bad OCSP (exp.) Ok
@@ -223,7 +223,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Public Key Pinning --
Server banner nginx
Application banner --
- Cookie(s) 2 issued: 2/2 secure, 2/2 HttpOnly
+ Cookie(s) 1 issued: 1/1 secure, 1/1 HttpOnly
Security headers X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'
@@ -236,7 +236,6 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Embedder-Policy: unsafe-none
X-XSS-Protection: 1; mode=block
- Permissions-Policy: interest-cohort=()
Referrer-Policy: no-referrer
Cache-Control: no-cache
Reverse Proxy banner --
@@ -257,8 +256,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
- make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
- https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
+ no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1
LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK)
@@ -271,24 +269,24 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy
------------------------------------------------------------------------------------------------
Android 7.0 (native) No connection
- Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
+ Android 8.1 (native) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
- Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
+ Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768
Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
- Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
+ Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768
Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
- Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
+ Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768
IE 8 Win 7 No connection
- IE 11 Win 7 No connection
- IE 11 Win 8.1 No connection
- IE 11 Win Phone 8.1 No connection
- IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
- Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
+ IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
+ IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
+ IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
+ IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
+ Edge 15 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
- Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
+ Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768
Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
@@ -299,11 +297,11 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
- OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
+ OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
- OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
- Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
+ OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768
+ Apple Mail (16.0) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
@@ -317,7 +315,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Final Score 100
Overall Grade A+
- Done 2025-09-28 16:13:50 [ 95s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Done 2026-06-17 14:46:05 [ 78s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
````
---
diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md
index 93e11b7..0001258 100644
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. Hardened Kernel Boot Parameters
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 5c44470..f634e78 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,16 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. Changelog
+## V9.14.026.2026.06.17
+* **Updated**: git.coresecret.dev nginx Mainline 1.31.1 custom build with OpenSSL 4.0.1 to support PQC KEX algorithms:
+* * ``MLKEM1024`` ``SecP384r1MLKEM1024`` ``X25519MLKEM768``
+* * ECDH: ``X448`` ``secp521r1`` ``secp384r1``
+* **Updated**: [AUDIT_TLS.md](AUDIT_TLS.md)
+
## V9.14.024.2026.06.11
* **Added**: [lib_build_dir_safety.sh](../lib/lib_build_dir_safety.sh) Integrated Security Audit Finding A12
* **Added**: [lib_debug_sanitize.sh](../lib/lib_debug_sanitize.sh) Integrated Security Audit Finding A11
diff --git a/docs/CNET.md b/docs/CNET.md
index 1034d6c..09b35ad 100644
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. Centurion Net - Developer Branch Overview
diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md
index 98261ea..b251026 100644
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. Purpose
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index df9dbe0..6e7d5ca 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. Contributing / participating
diff --git a/docs/CREDITS.md b/docs/CREDITS.md
index 4c90841..045f7b1 100644
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. Credits
diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md
index bed0dfa..168bf54 100644
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. Download the latest PUBLIC CISS.debian.live.ISO
diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md
index 07b6805..4a95e89 100644
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,14 +8,14 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2.1. Usage
````text
CDLB(1) CISS.debian.live.builder CDLB(1)
CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.026.2026.06.12
+Master V9.14.026.2026.06.17
A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
(c) Marc S. Weidner, 2018 - 2026
@@ -190,7 +190,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
💷 Please consider donating to my work at:
🌐 https://coresecret.eu/spenden/
- V9.14.026.2026.06.12 2026-05-17 CDLB(1)
+ V9.14.026.2026.06.17 2026-05-17 CDLB(1)
````
# 3. Booting
diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
index c256ab6..3969383 100644
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
diff --git a/docs/MAN_SSH_Host_Key_Policy.md b/docs/MAN_SSH_Host_Key_Policy.md
index bc602ca..cc136bd 100644
--- a/docs/MAN_SSH_Host_Key_Policy.md
+++ b/docs/MAN_SSH_Host_Key_Policy.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md
index f56c5d2..3726475 100644
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. Resources
diff --git a/docs/documentation/30-ciss-hardening.conf.md b/docs/documentation/30-ciss-hardening.conf.md
index 22581ff..a0b6552 100644
--- a/docs/documentation/30-ciss-hardening.conf.md
+++ b/docs/documentation/30-ciss-hardening.conf.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. ``30-ciss-hardening.conf``
diff --git a/docs/documentation/90-ciss-local.hardened.md b/docs/documentation/90-ciss-local.hardened.md
index 6a3f69a..278582e 100644
--- a/docs/documentation/90-ciss-local.hardened.md
+++ b/docs/documentation/90-ciss-local.hardened.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. ``90-ciss-local.hardened``
diff --git a/docs/documentation/ciss_live_builder.sh.md b/docs/documentation/ciss_live_builder.sh.md
index a973c34..1d983d2 100644
--- a/docs/documentation/ciss_live_builder.sh.md
+++ b/docs/documentation/ciss_live_builder.sh.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.12
+**Build**: V9.14.026.2026.06.17
# 2. ``ciss_live_builder.sh``
diff --git a/scripts/usr/local/sbin/9999_cdi_starter.sh b/scripts/usr/local/sbin/9999_cdi_starter.sh
index c27935a..b2473cf 100644
--- a/scripts/usr/local/sbin/9999_cdi_starter.sh
+++ b/scripts/usr/local/sbin/9999_cdi_starter.sh
@@ -601,7 +601,7 @@ main() {
var_log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +"%Y-%m-%d_%H-%M-%S").log"
touch "${var_log}"
- printf "CISS.debian.live.builder V9.14.026.2026.06.12 calling CISS.debian.installer ... \n" >> "${var_log}"
+ printf "CISS.debian.live.builder V9.14.026.2026.06.17 calling CISS.debian.installer ... \n" >> "${var_log}"
### Sleep a moment to settle boot artifacts.
sleep 8
@@ -696,7 +696,7 @@ main() {
### Timeout reached without acceptable semaphore.
logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
- printf "CISS.debian.live.builder V9.14.026.2026.06.12: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+ printf "CISS.debian.live.builder V9.14.026.2026.06.17: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
exit 0
}
diff --git a/var/early.var.sh b/var/early.var.sh
index 026302e..bee1c94 100644
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
declare -grx VAR_HOST="$(uname -n)"
declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.026.2026.06.12"
+declare -grx VAR_VERSION="Master V9.14.026.2026.06.17"
declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
# Print $4 and $5; include $6 only if it exists
out = $4