From 98136560880825ab1180ae9af9f3f3c4f5b90faadab8a53de5f574c041fbd8b9 Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Thu, 4 Dec 2025 07:43:43 +0100
Subject: [PATCH] V8.13.536.2025.12.04

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 config/hooks/live/9935_hardening_ssl.chroot | 6 +++---
 lib/lib_clean_up.sh                         | 9 ++++-----
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/config/hooks/live/9935_hardening_ssl.chroot b/config/hooks/live/9935_hardening_ssl.chroot
index 2b45299..b3e145a 100644
--- a/config/hooks/live/9935_hardening_ssl.chroot
+++ b/config/hooks/live/9935_hardening_ssl.chroot
@@ -440,9 +440,9 @@ Groups = X448:P-521:P-384
 SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
 
 # Operational flags:
-# -SessionTicket   ⇒ disable TLS session tickets (TLS 1.2 + 1.3)
-# ServerPreference ⇒ honor server cipher order (TLS 1.2)
-# NoRenegotiation  ⇒ disallow TLS 1.2 renegotiation
+# -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
+# ServerPreference: honor server cipher order (TLS 1.2)
+# NoRenegotiation : disallow TLS 1.2 renegotiation
 Options = -SessionTicket,ServerPreference,NoRenegotiation
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/lib/lib_clean_up.sh b/lib/lib_clean_up.sh
index 068848e..9be1f14 100644
--- a/lib/lib_clean_up.sh
+++ b/lib/lib_clean_up.sh
@@ -100,17 +100,16 @@ clean_up() {
   find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
   find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
 
-  # TODO: activate
   ### Securely shred all regular files below ./includes.chroot, then remove empty dirs.
-  #if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
+  if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
 
     # shellcheck disable=SC2312
-  #  find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
+    find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
 
     ### Remove empty directories (bottom-up).
-  #  find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete
+    find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete
 
-  #fi
+  fi
 
   eval "${_old_nullglob}" 2>/dev/null || true
   eval "${_old_dotglob}"  2>/dev/null || true