V9.14.002.2026.05.13
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -122,7 +122,7 @@ x509_extensions = usr_cert # The extensions to add to the cert
|
||||
name_opt = ca_default # Subject Name options
|
||||
cert_opt = ca_default # Certificate field options
|
||||
|
||||
# Extension copying option: use with caution.
|
||||
# Extension copying option: use it with caution.
|
||||
# copy_extensions = copy
|
||||
|
||||
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
|
||||
@@ -232,7 +232,7 @@ basicConstraints=CA:FALSE
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
# PKIX recommendations are harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
|
||||
@@ -282,7 +282,7 @@ basicConstraints = critical,CA:true
|
||||
|
||||
# DER hex encoding of an extension: beware experts only!
|
||||
# obj=DER:02:03
|
||||
# Where 'obj' is a standard or added object
|
||||
# Where 'obj' is a standard or added object.
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, DER:30:03:01:01:FF
|
||||
|
||||
@@ -305,7 +305,7 @@ basicConstraints=CA:FALSE
|
||||
# This is typical in keyUsage for a client certificate.
|
||||
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
# PKIX recommendations are harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
|
||||
@@ -418,33 +418,24 @@ ssl_conf = ssl_sect
|
||||
system_default = system_default_sect
|
||||
|
||||
[system_default_sect]
|
||||
# Protocol floor / ceiling:
|
||||
# - only TLS 1.2 and 1.3.
|
||||
# - TLS 1.3 is FS by design;
|
||||
# - TLS 1.2 FS enforced via the cipher list.
|
||||
MinProtocol = TLSv1.2
|
||||
MaxProtocol = TLSv1.3
|
||||
|
||||
# TLS 1.2 cipher policy:
|
||||
# - Forward secrecy only: ECDHE or DHE (no static RSA kx);
|
||||
# - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
|
||||
# - Keep distro default SECLEVEL=2 explicitly.
|
||||
CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
|
||||
# TLS 1.2: FS only, AEAD only, no AES128, no static RSA negotiation, no DHE negotiation.
|
||||
CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:!AES128:!kRSA:!DHE:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
|
||||
|
||||
# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
|
||||
# TLS 1.3: only AES-256-GCM and ChaCha20-Poly1305.
|
||||
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
|
||||
# Prefer strong, widely supported ECDHE groups (first = most preferred):
|
||||
# Preferred ECDHE groups.
|
||||
Groups = X448:P-521:P-384
|
||||
|
||||
SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
|
||||
|
||||
# Operational flags:
|
||||
# -SessionTicket : disable TLS session tickets (TLS 1.2 + 1.3)
|
||||
# ServerPreference: honor server cipher order (TLS 1.2)
|
||||
# NoRenegotiation : disallow TLS 1.2 renegotiation
|
||||
# Flags: Tickets off, servers order, renegotiation off.
|
||||
Options = -SessionTicket,ServerPreference,NoRenegotiation
|
||||
|
||||
# Permitted signature algorithms.
|
||||
SignatureAlgorithms = ecdsa_secp521r1_sha512:ecdsa_secp384r1_sha384:ed448:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||
EOF
|
||||
|
||||
|
||||
Reference in New Issue
Block a user