V9.14.026.2026.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-17 15:49:17 +01:00
parent e11b6285ca
commit 009f92aea1
49 changed files with 111 additions and 107 deletions
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 name: 💙 Generating a PUBLIC Live ISO.
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V9.14.026.2026.06.12"
+      placeholder: "e.g., Master V9.14.026.2026.06.17"
    validations:
      required: true
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 FROM debian:bookworm
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 name: 🔁 Render README.md to README.html.
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.026.2026.06.12
+  version: V9.14.026.2026.06.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.026.2026.06.12
+  version: V9.14.026.2026.06.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.026.2026.06.12
+  version: V9.14.026.2026.06.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 name: 💙 Generating a PUBLIC Live ISO.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 name: 🔁 Render Graphviz Diagrams.
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.026.2026.06.12"
+properties_version="V9.14.026.2026.06.17"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.026.2026.06.12
+PackageVersion: Master V9.14.026.2026.06.17
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.026.2026.06.12-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.026.2026.06.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -181,7 +181,7 @@ installer toolchain.
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V9.14.026.2026.06.12`
+Example: `V9.14.026.2026.06.17`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **9.14**, Build **V9.14.026.2026.06.12** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.026.2026.06.17** (as of 2025-10-11)
 ## 3.1. Top-Level Layout
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. CISS Secure Boot Private Material
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. CISS Secure Boot Public Material
@@ -39,7 +39,7 @@ install -d -m 0755  "${DESTDIR}/usr/sbin"
 ### Include binaries -----------------------------------------------------------------------------------------------------------
-for bin in bash blkid busybox dd dmsetup gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do
+for bin in awk bash blkid busybox dd dmsetup gawk gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do
  path="$(command -v "${bin}" 2>/dev/null || true)"
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.026.2026.06.12
+# Version Master V9.14.026.2026.06.17
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V9.14.026.2026.06.12"
+declare -gr VERSION="Master V9.14.026.2026.06.17"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.026.2026.06.12 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.026.2026.06.17 at: 10:18:37.9542
@@ -25,7 +25,7 @@
 #   SHA-512 digest and the exact byte length; allocation slack after that SquashFS payload is intentionally out of scope.
 # - Panics on missing, malformed, unauthentic, or mismatched evidence.
-set -eu
+# set -eu
 PS4='+ 0042(): '
 set -x
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. DNSSEC Status
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. Lynis Audit:
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. SSH Audit by ssh-audit.com
@@ -8,15 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. TLS Audit:
 ````text
 ./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
 #####################################################################
-  testssl.sh version 3.2.2 from https://testssl.sh/
+  testssl.sh version 3.2.3 from https://testssl.sh/
-  (2e77f5e 2025-09-22 19:35:27)
+  (0ff7a34 2026-06-01 09:45:44)
  This program is free software. Distribution and modification under
  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -27,7 +26,7 @@ include_toc: true
  Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
  on kali:./bin/openssl.Linux.x86_64
- Start 2025-09-28 16:12:17        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Start 2026-06-17 14:44:50        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 Further IP addresses:   2a0a:4cc0:80:330f:152:53:110:40
 rDNS (152.53.110.40):   git.coresecret.dev.
@@ -73,11 +72,11 @@ TLSv1
 TLSv1.1
 -
 TLSv1.2 (server order)
- xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 448   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 448   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 448   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 448   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 TLSv1.3 (server order)
- x1302   TLS_AES_256_GCM_SHA384            ECDH 448   AESGCM      256      TLS_AES_256_GCM_SHA384
+ x1302   TLS_AES_256_GCM_SHA384            MLKEM1024  AESGCM      256      TLS_AES_256_GCM_SHA384
- x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 448   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
+ x1303   TLS_CHACHA20_POLY1305_SHA256      MLKEM1024  ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
 Has server cipher order?     yes (OK) -- TLS 1.3 and below
@@ -88,21 +87,21 @@ TLSv1.3 (server order)
 Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
 -----------------------------------------------------------------------------------------------------------------------------
- x1302   TLS_AES_256_GCM_SHA384            ECDH 448   AESGCM      256      TLS_AES_256_GCM_SHA384                             available
+ x1302   TLS_AES_256_GCM_SHA384            MLKEM1024  AESGCM      256      TLS_AES_256_GCM_SHA384                             available
- x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 448   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       available
+ x1303   TLS_CHACHA20_POLY1305_SHA256      MLKEM1024  ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       available
 xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH       ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD  not a/v
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH       ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD    not a/v
 xcc15   DHE-RSA-CHACHA20-POLY1305-OLD     DH         ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD      not a/v
- xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 521   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              available
+ xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH       AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              not a/v
- xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH       AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            not a/v
+ xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 521   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            available
 xc028   ECDHE-RSA-AES256-SHA384           ECDH       AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              not a/v
 xc024   ECDHE-ECDSA-AES256-SHA384         ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384            not a/v
 xc014   ECDHE-RSA-AES256-SHA              ECDH       AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 not a/v
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA               not a/v
 xa3     DHE-DSS-AES256-GCM-SHA384         DH         AESGCM      256      TLS_DHE_DSS_WITH_AES_256_GCM_SHA384                not a/v
 x9f     DHE-RSA-AES256-GCM-SHA384         DH         AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                not a/v
- xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH       ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256      not a/v
+ xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 448   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256      available
- xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 448   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        available
+ xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH       ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        not a/v
 xccaa   DHE-RSA-CHACHA20-POLY1305         DH         ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256          not a/v
 xc0af   ECDHE-ECDSA-AES256-CCM8           ECDH       AESCCM8     256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8                 not a/v
 xc0ad   ECDHE-ECDSA-AES256-CCM            ECDH       AESCCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM                   not a/v
@@ -170,9 +169,10 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 xc086   -                                 ECDH       CamelliaGCM 128      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256       not a/v
 xc08a   -                                 ECDH       CamelliaGCM 128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256         not a/v
 KEMs offered                 MLKEM1024 X25519MLKEM768 SecP384r1MLKEM1024
 Elliptic curves offered:     secp384r1 secp521r1 X448
- TLS 1.2 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224
+ TLS 1.2 sig_algs offered:    ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA+SHA224
- TLS 1.3 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512
+ TLS 1.3 sig_algs offered:    ECDSA+SHA384
 Testing server defaults (Server Hello)
@@ -185,33 +185,33 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 TLS clock skew               Random values, no fingerprinting possible
 Certificate Compression      none
 Client Authentication        none
- Signature Algorithm          SHA256 with RSA
+ Signature Algorithm          ECDSA with SHA256
- Server key size              RSA 4096 bits (exponent is 65537)
+ Server key size              EC 384 bits (curve P-384)
- Server key usage             Digital Signature, Key Encipherment
+ Server key usage             Digital Signature
- Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
+ Server extended key usage    TLS Web Server Authentication
- Serial                       13292523EB168BD226CE46 (OK: length 11)
+ Serial                       85135AE9A772A9778768548CDED9F483 (OK: length 16)
- Fingerprints                 SHA1 1CCF67686A5FFF33D163EFC9E67AB5C70D1122B8
+ Fingerprints                 SHA1 7745E895B49A44DA786509D124F7BAEF5BCDE21A
-                              SHA256 565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
+                              SHA256 EBAC1DAD82CFAF97644D2F9A03082DE9ABC2B44AD4C86FE6FA202D3EF7243FE4
 Common Name (CN)             coresecret.dev
- subjectAltName (SAN)         coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
+ subjectAltName (SAN)         coresecret.dev badges.coresecret.dev cendev.eu git.coresecret.dev lab.coresecret.dev phpmyadmin.git.coresecret.dev
                              run.coresecret.dev uml.coresecret.dev www.coresecret.dev
 Trust (hostname)             Ok via SAN (same w/o SNI)
 Chain of trust               Ok
 EV cert (experimental)       no
- Certificate Validity (UTC)   178 >= 60 days (2025-09-27 18:27 --> 2026-03-25 22:59)
+ Certificate Validity (UTC)   89 >= 60 days (2026-06-16 00:00 --> 2026-09-14 23:59)
 ETS/"eTLS", visibility info  not present
- In pwnedkeys.com DB          not in database Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
+ In pwnedkeys.com DB          not in database
- OCSP URI                     http://ocsp.buypass.com, not revoked
+ Certificate Revocation List  --
 OCSP URI                     http://ocsp.sectigo.com, not revoked
 OCSP stapling                offered, not revoked
- OCSP must staple extension   --
+ OCSP must staple extension   supported
 DNS CAA RR (experimental)    available - please check for match with "Issuer" below
-                              communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl,
+                              contactemail=caa@coresecret.eu, iodef=mailto:caa@coresecret.eu, issue=;, issue=certum.pl, issue=letsencrypt.org;,
-                              issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
+                              issue=quantumsign.eu;, issue=sectigo.com, issuemail=certum.pl, issuevmc=sectigo.com, issuewild=;
                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
 Certificate Transparency     yes (certificate extension)
 Certificates provided        2
- Issuer                       Buypass Class 2 CA 5 (Buypass AS-983163327 from NO)
+ Issuer                       ZeroSSL ECC DV SSL CA 2 (ZeroSSL GmbH from AT)
- Intermediate cert validity   #1: ok > 40 days (2027-05-23 12:57). Buypass Class 2 CA 5 <-- Buypass Class 2 Root CA
+ Intermediate cert validity   #1: ok > 40 days (2035-09-23 23:59). ZeroSSL ECC DV SSL CA 2 <-- Sectigo Public Server Authentication Root E46
 Intermediate Bad OCSP (exp.) Ok
@@ -223,7 +223,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Public Key Pinning           --
 Server banner                nginx
 Application banner           --
- Cookie(s)                    2 issued: 2/2 secure, 2/2 HttpOnly
+ Cookie(s)                    1 issued: 1/1 secure, 1/1 HttpOnly
 Security headers             X-Frame-Options: SAMEORIGIN
                              X-Content-Type-Options: nosniff
                              Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'
@@ -236,7 +236,6 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
                              Cross-Origin-Resource-Policy: cross-origin
                              Cross-Origin-Embedder-Policy: unsafe-none
                              X-XSS-Protection: 1; mode=block
                              Permissions-Policy: interest-cohort=()
                              Referrer-Policy: no-referrer
                              Cache-Control: no-cache
 Reverse Proxy banner         --
@@ -257,8 +256,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
-                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
+                                           no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
@@ -271,24 +269,24 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
 ------------------------------------------------------------------------------------------------
 Android 7.0 (native)         No connection
- Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
+ Android 8.1 (native)         TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     384 bit ECDH (P-384)
 Android 9.0 (native)         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Android 10.0 (native)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Android 11/12 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Android 13/14 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Android 15 (native)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Android 15 (native)          TLSv1.3   TLS_AES_256_GCM_SHA384            X25519MLKEM768
 Chrome 101 (Win 10)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Chromium 137 (Win 11)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Chromium 137 (Win 11)        TLSv1.3   TLS_AES_256_GCM_SHA384            X25519MLKEM768
 Firefox 100 (Win 10)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
- Firefox 137 (Win 11)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
+ Firefox 137 (Win 11)         TLSv1.3   TLS_AES_256_GCM_SHA384            X25519MLKEM768
 IE 8 Win 7                   No connection
- IE 11 Win 7                  No connection
+ IE 11 Win 7                  TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     384 bit ECDH (P-384)
- IE 11 Win 8.1                No connection
+ IE 11 Win 8.1                TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     384 bit ECDH (P-384)
- IE 11 Win Phone 8.1          No connection
+ IE 11 Win Phone 8.1          TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     384 bit ECDH (P-384)
- IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
+ IE 11 Win 10                 TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     384 bit ECDH (P-384)
- Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
+ Edge 15 Win 10               TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     384 bit ECDH (P-384)
 Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Edge 133 Win 11 23H2         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Edge 133 Win 11 23H2         TLSv1.3   TLS_AES_256_GCM_SHA384            X25519MLKEM768
 Safari 18.4 (iOS 18.4)       TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 Safari 18.4 (macOS 15.4)     TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
@@ -299,11 +297,11 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Java 21.0.6 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
 go 1.17.8                    TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 LibreSSL 3.3.6 (macOS)       TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
- OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       521 bit ECDH (P-521)
+ OpenSSL 1.0.2e               TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     521 bit ECDH (P-521)
 OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
 OpenSSL 3.0.15 (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
- OpenSSL 3.5.0 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
+ OpenSSL 3.5.0 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            X25519MLKEM768
- Apple Mail (16.0)            TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       521 bit ECDH (P-521)
+ Apple Mail (16.0)            TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     521 bit ECDH (P-521)
 Thunderbird (91.9)           TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
@@ -317,7 +315,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Final Score                  100
 Overall Grade                A+
- Done 2025-09-28 16:13:50 [  95s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Done 2026-06-17 14:46:05 [  78s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 ````
 ---
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. Hardened Kernel Boot Parameters
@@ -8,10 +8,16 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. Changelog
 ## V9.14.026.2026.06.17
 * **Updated**: git.coresecret.dev nginx Mainline 1.31.1 custom build with OpenSSL 4.0.1 to support PQC KEX algorithms:
 * * ``MLKEM1024`` ``SecP384r1MLKEM1024`` ``X25519MLKEM768`` 
 * * ECDH: ``X448`` ``secp521r1`` ``secp384r1``
 * **Updated**: [AUDIT_TLS.md](AUDIT_TLS.md)
 ## V9.14.024.2026.06.11
 * **Added**: [lib_build_dir_safety.sh](../lib/lib_build_dir_safety.sh) Integrated Security Audit Finding A12
 * **Added**: [lib_debug_sanitize.sh](../lib/lib_debug_sanitize.sh) Integrated Security Audit Finding A11
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. Centurion Net - Developer Branch Overview
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. Purpose
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. Contributing / participating
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. Credits
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.026.2026.06.12
+Master V9.14.026.2026.06.17
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2026
@@ -190,7 +190,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
-                        V9.14.026.2026.06.12                        2026-05-17                         CDLB(1)
+                        V9.14.026.2026.06.17                        2026-05-17                         CDLB(1)
 ````
 # 3. Booting
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. Resources
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. ``30-ciss-hardening.conf``
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. ``90-ciss-local.hardened``
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.026.2026.06.12<br>
+**Build**: V9.14.026.2026.06.17<br>
 # 2. ``ciss_live_builder.sh``
@@ -601,7 +601,7 @@ main() {
  var_log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +"%Y-%m-%d_%H-%M-%S").log"
  touch "${var_log}"
-  printf "CISS.debian.live.builder V9.14.026.2026.06.12 calling CISS.debian.installer ... \n" >> "${var_log}"
+  printf "CISS.debian.live.builder V9.14.026.2026.06.17 calling CISS.debian.installer ... \n" >> "${var_log}"
  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -696,7 +696,7 @@ main() {
  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.live.builder V9.14.026.2026.06.12: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.live.builder V9.14.026.2026.06.17: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
  exit 0
 }
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.026.2026.06.12"
+declare -grx VAR_VERSION="Master V9.14.026.2026.06.17"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4