From ea8cd3771641aed78f379db7c20199959b0a4ff3 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Tue, 10 Dec 2024 03:56:50 -0500 Subject: [PATCH 1/8] copy 5.7 guideline to 5.8 and update version, href --- src/static/guidelines/5.8.json | 209 ++++++++++++++++++++++++++++++ src/static/guidelines/latest.json | 2 +- 2 files changed, 210 insertions(+), 1 deletion(-) create mode 100644 src/static/guidelines/5.8.json diff --git a/src/static/guidelines/5.8.json b/src/static/guidelines/5.8.json new file mode 100644 index 00000000..43eaf121 --- /dev/null +++ b/src/static/guidelines/5.8.json @@ -0,0 +1,209 @@ +{ + "version": 5.8, + "href": "https://ssl-config.mozilla.org/guidelines/5.8.json", + "configurations": { + "modern": { + "certificate_curves": ["prime256v1", "secp384r1"], + "certificate_signatures": ["ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"], + "certificate_types": ["ecdsa"], + "ciphers": { + "caddy": [], + "go": [], + "iana": [], + "openssl": [] + }, + "ciphersuites": [ + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256" + ], + "dh_param_size": null, + "ecdh_param_size": 256, + "hsts_min_age": 63072000, + "maximum_certificate_lifespan": 90, + "ocsp_staple": true, + "oldest_clients": ["Firefox 63", "Android 10.0", "Chrome 70", "Edge 75", "Java 11", "OpenSSL 1.1.1", "Opera 57", "Safari 12.1"], + "recommended_certificate_lifespan": 90, + "rsa_key_size": null, + "server_preferred_order": false, + "tls_curves": ["X25519", "prime256v1", "secp384r1"], + "tls_versions": ["TLSv1.3"] + }, + "intermediate": { + "certificate_curves": ["prime256v1", "secp384r1"], + "certificate_signatures": ["sha256WithRSAEncryption", "ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"], + "certificate_types": ["ecdsa", "rsa"], + "ciphers": { + "caddy": [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" + ], + "go": [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" + ], + "iana": [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" + ], + "openssl": [ + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDHE-RSA-AES128-GCM-SHA256", + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-RSA-AES256-GCM-SHA384", + "ECDHE-ECDSA-CHACHA20-POLY1305", + "ECDHE-RSA-CHACHA20-POLY1305", + "DHE-RSA-AES128-GCM-SHA256", + "DHE-RSA-AES256-GCM-SHA384", + "DHE-RSA-CHACHA20-POLY1305" + ] + }, + "ciphersuites": [ + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256" + ], + "dh_param_size": 2048, + "ecdh_param_size": 256, + "hsts_min_age": 63072000, + "maximum_certificate_lifespan": 366, + "ocsp_staple": true, + "oldest_clients": ["Firefox 27", "Android 4.4.2", "Chrome 31", "Edge", "IE 11 on Windows 7", "Java 8u31", "OpenSSL 1.0.1", "Opera 20", "Safari 9"], + "recommended_certificate_lifespan": 90, + "rsa_key_size": 2048, + "server_preferred_order": false, + "tls_curves": ["X25519", "prime256v1", "secp384r1"], + "tls_versions": ["TLSv1.2", "TLSv1.3"] + }, + "old": { + "certificate_curves": ["prime256v1", "secp384r1"], + "certificate_signatures": ["sha256WithRSAEncryption"], + "certificate_types": ["rsa"], + "ciphers": { + "caddy": [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA" + ], + "go": [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA" + ], + "iana": [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA" + ], + "openssl": [ + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDHE-RSA-AES128-GCM-SHA256", + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-RSA-AES256-GCM-SHA384", + "ECDHE-ECDSA-CHACHA20-POLY1305", + "ECDHE-RSA-CHACHA20-POLY1305", + "DHE-RSA-AES128-GCM-SHA256", + "DHE-RSA-AES256-GCM-SHA384", + "DHE-RSA-CHACHA20-POLY1305", + "ECDHE-ECDSA-AES128-SHA256", + "ECDHE-RSA-AES128-SHA256", + "ECDHE-ECDSA-AES128-SHA", + "ECDHE-RSA-AES128-SHA", + "ECDHE-ECDSA-AES256-SHA384", + "ECDHE-RSA-AES256-SHA384", + "ECDHE-ECDSA-AES256-SHA", + "ECDHE-RSA-AES256-SHA", + "DHE-RSA-AES128-SHA256", + "DHE-RSA-AES256-SHA256", + "AES128-GCM-SHA256", + "AES256-GCM-SHA384", + "AES128-SHA256", + "AES256-SHA256", + "AES128-SHA", + "AES256-SHA", + "DES-CBC3-SHA" + ] + }, + "ciphersuites": [ + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256" + ], + "dh_param_size": 1024, + "ecdh_param_size": 256, + "hsts_min_age": 63072000, + "maximum_certificate_lifespan": 366, + "ocsp_staple": true, + "oldest_clients": ["Firefox 1", "Android 2.3", "Chrome 1", "Edge 12", "IE8 on Windows XP", "Java 6", "OpenSSL 0.9.8", "Opera 5", "Safari 1"], + "recommended_certificate_lifespan": 90, + "rsa_key_size": 2048, + "server_preferred_order": true, + "tls_curves": ["X25519", "prime256v1", "secp384r1"], + "tls_versions": ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"] + } + } +} diff --git a/src/static/guidelines/latest.json b/src/static/guidelines/latest.json index de06a35a..73921ebc 120000 --- a/src/static/guidelines/latest.json +++ b/src/static/guidelines/latest.json @@ -1 +1 @@ -5.7.json \ No newline at end of file +5.8.json \ No newline at end of file From 1c6240ee3a1e680a9cc9d598834a3d3ab458063d Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Tue, 10 Dec 2024 04:11:07 -0500 Subject: [PATCH 2/8] Go apps use go crypto/tls IANA cipher names https://pkg.go.dev/crypto/tls see 'Constants' Current code https://go.googlesource.com/go/+/refs/heads/master/src/crypto/tls/cipher_suites.go#678 Since Go 1.14 (released Feb 2020), Go added to constants + // Legacy names for the corresponding cipher suites with the correct _SHA256 + // suffix, retained for backward compatibility. + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 https://go.googlesource.com/go (mirror https://github.com/golang/go/) commit e2cac315082a9267135e96249b537d0bd0703175 crypto/tls: add correct names for CHACHA20_POLY1305 cipher suite constants The cipher suites were apparently renamed late in the standardization process, and we picked up the legacy name. We can't remove the old constants, but add correctly named ones. Older versions of Go < 1.14 (now almost 5 years old) need to use TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 instead of TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Note also that some older ciphers are disabled by default in Go https://go.dev/doc/godebug Go 1.23 changed the default TLS cipher suites used by clients and servers when not explicitly configured, removing 3DES cipher suites. The default can be reverted using the tls3des setting. Go 1.22 changed the default TLS cipher suites used by clients and servers when not explicitly configured, removing the cipher suites which used RSA based key exchange. The default can be reverted using the tlsrsakex setting. Go crypto/tls configurable settings: https://pkg.go.dev/crypto/tls#Config This commit removes most of the special-casing done in 2020 in Use caddy ciphers from JSON file https://github.com/mozilla/ssl-config-generator/pull/108 --- src/js/configs.js | 3 +- src/js/state.js | 10 +++++-- src/static/guidelines/5.8.json | 54 ---------------------------------- 3 files changed, 9 insertions(+), 58 deletions(-) diff --git a/src/js/configs.js b/src/js/configs.js index fed1a6d5..fdbcbd6e 100644 --- a/src/js/configs.js +++ b/src/js/configs.js @@ -31,7 +31,7 @@ module.exports = { usesOpenssl: false, }, caddy: { - cipherFormat: 'caddy', + cipherFormat: 'go', latestVersion: '2.8.4', eolBefore: '2.0.0', name: 'Caddy', @@ -68,6 +68,7 @@ module.exports = { name: 'Go', tls13: '1.13.0', usesOpenssl: false, + supportedCiphers: [ 'TLS_RSA_WITH_RC4_128_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256' ], }, haproxy: { latestVersion: '3.0', diff --git a/src/js/state.js b/src/js/state.js index 1f95df6e..352afc2a 100644 --- a/src/js/state.js +++ b/src/js/state.js @@ -104,9 +104,13 @@ export default async function () { protocols = protocols.filter(ciphers => ciphers !== 'TLSv1.3'); } - let ciphers = configs[server].cipherFormat ? ssc.ciphers[configs[server].cipherFormat] : ssc.ciphers.openssl; - if (configs[server].supportedCiphers) { - ciphers = ciphers.filter(suite => configs[server].supportedCiphers.indexOf(suite) !== -1); + const cipherFormat = configs[server].cipherFormat ? configs[server].cipherFormat : 'openssl'; + let ciphers = cipherFormat === 'go' ? ssc.ciphers['iana'] : ssc.ciphers[cipherFormat]; + const supportedCiphers = configs[server].supportedCiphers + ? configs[server].supportedCiphers + : cipherFormat === 'go' ? configs['go'].supportedCiphers : null; + if (supportedCiphers) { + ciphers = ciphers.filter(suite => supportedCiphers.indexOf(suite) !== -1); } else { ciphers = ciphers; } diff --git a/src/static/guidelines/5.8.json b/src/static/guidelines/5.8.json index 43eaf121..71fe95e2 100644 --- a/src/static/guidelines/5.8.json +++ b/src/static/guidelines/5.8.json @@ -7,8 +7,6 @@ "certificate_signatures": ["ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"], "certificate_types": ["ecdsa"], "ciphers": { - "caddy": [], - "go": [], "iana": [], "openssl": [] }, @@ -34,22 +32,6 @@ "certificate_signatures": ["sha256WithRSAEncryption", "ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"], "certificate_types": ["ecdsa", "rsa"], "ciphers": { - "caddy": [ - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" - ], - "go": [ - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" - ], "iana": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", @@ -95,42 +77,6 @@ "certificate_signatures": ["sha256WithRSAEncryption"], "certificate_types": ["rsa"], "ciphers": { - "caddy": [ - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" - ], - "go": [ - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" - ], "iana": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", From 4cf3aae12780d3e33d3b6d3f63bf96469ff7c1d3 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Tue, 4 Mar 2025 01:53:55 -0500 Subject: [PATCH 3/8] invert hsts and ocsp logic; disable ocsp default previous rendering of guidelines assumed hsts and ocsp enabled and the URL logic appened value if false. This change inverts that logic and makes includes of &hsts&ocsp sufficient to indicate enabled, not requiring =true. Absence of those tags indicates disabled or false. OCSP checkbox is no longer checked by default. Let's Encrypt plans to sunset its OCSP responders this year (2025) (and has blogged about its reasoning; not repeated here) --- src/js/index.js | 19 +++++++++++++++++-- src/js/state.js | 8 ++++---- src/templates/index.ejs | 2 +- 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/src/js/index.js b/src/js/index.js index cb240e0b..254ccc35 100755 --- a/src/js/index.js +++ b/src/js/index.js @@ -128,6 +128,22 @@ function form_config_init() { e_version.value = configs[params.get('server')].latestVersion; } + // compat behavior with rendering of guidelines <= 5.7 + // (guideline ver is used to separate past rendering behavior from current) + const guideline = params.get('guideline'); + if (guideline !== undefined && !isNaN(guideline)) { + const guideln = parseFloat(guideline); + if (!isNaN(guideln) && guideln <= 5.7) { + // OCSP and HSTS logic inverted; absense indicates checked (enabled) + if (params.get('hsts') === undefined) { + document.getElementById('hsts').checked = true; + } + if (params.get('ocsp') === undefined) { + document.getElementById('ocsp').checked = true; + } + } + } + for (let entry of params.entries()) { if (validHashKeys.includes(entry[0])) { // find the element @@ -140,8 +156,7 @@ function form_config_init() { switch (e.type) { case 'radio': case 'checkbox': - // if it's in the mappings, we should do a find/replace - e.checked = mappings[entry[1]] === undefined ? !!entry[1] : mappings[entry[1]]; + e.checked = entry[1] === undefined ? true : mappings[entry[1]] === undefined ? !!entry[1] : mappings[entry[1]]; break; case 'text': case 'hidden': diff --git a/src/js/state.js b/src/js/state.js index 352afc2a..8f51bda2 100644 --- a/src/js/state.js +++ b/src/js/state.js @@ -66,8 +66,8 @@ export default async function () { // generate the fragment let fragment = `server=${server}&version=${form['version'].value}&config=${config}`; fragment += configs[server].usesOpenssl !== false ? `&openssl=${form['openssl'].value}` : ''; - fragment += configs[server].supportsHsts !== false && !form['hsts'].checked ? `&hsts=false` : ''; - fragment += supportsOcspStapling && !form['ocsp'].checked ? `&ocsp=false` : ''; + fragment += configs[server].supportsHsts !== false && form['hsts'].checked ? '&hsts' : ''; + fragment += supportsOcspStapling && form['ocsp'].checked ? '&ocsp' : ''; fragment += `&guideline=${guideln}`; // generate the version tags @@ -91,8 +91,8 @@ export default async function () { // generate the header const date = new Date().toISOString().substr(0, 10); let header = `generated ${date}, Mozilla Guideline v${guideln}, ${version_tags}`; - header += configs[server].supportsHsts !== false && !form['hsts'].checked ? `, no HSTS` : ''; - header += supportsOcspStapling && !form['ocsp'].checked ? `, no OCSP` : ''; + header += configs[server].supportsHsts !== false && form['hsts'].checked ? ', HSTS' : ''; + header += supportsOcspStapling && form['ocsp'].checked ? ', OCSP' : ''; const link = `${url.origin}${url.pathname}#${fragment}`; diff --git a/src/templates/index.ejs b/src/templates/index.ejs index dcac8c3d..0dc92fd8 100755 --- a/src/templates/index.ejs +++ b/src/templates/index.ejs @@ -107,7 +107,7 @@
- +
From 80b7ad9612bbcef705f83ab49692f11bcaa6df7b Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Tue, 10 Dec 2024 04:49:49 -0500 Subject: [PATCH 4/8] proposed 5.8 guideline changes - remove kDHE ciphers from Intermediate and Old recommended ciphers for Intermediate are now all PFS with AEAD - change Old dhParamSize from 1024 to 2048 and use ffdhe2048 instead of locally generated dhparams - remove 'go' and 'caddy' cipher list from guidelines; instead use IANA cipher names and supportedCiphers list in configs.js to filter ciphers supported by Go crypto/tls module Not part of guidelines, but part of ssl-config-generator: - For HSTS, use HTTP status code 308 Permanent Redirect for redirecting all http:// to https:// The Hypertext Transfer Protocol Status Code 308 (Permanent Redirect) https://www.rfc-editor.org/rfc/rfc7238 (published June 2014) - invert hsts and ocsp logic; disable ocsp default Not (yet) included in this PR: - consider removing all 3DES and CBC ciphers from Old; leave only ECDHE e.g. remove all ciphers in Go InsecureCipherSuites() list // InsecureCipherSuites returns a list of cipher suites currently implemented by // this package and which have security issues. https://go.googlesource.com/go/+/refs/heads/master/src/crypto/tls/cipher_suites.go#75 - consider removing Old configuration; it should not be used If needed, consumers can refer to 'Intermediate' and 'Old' generated from older versions of ssl-config-generator application obtained from the Internet Archive (archive.org) --- src/js/state.js | 7 +++++-- src/static/guidelines/5.8.json | 24 ++++-------------------- 2 files changed, 9 insertions(+), 22 deletions(-) diff --git a/src/js/state.js b/src/js/state.js index 8f51bda2..2d8c385b 100644 --- a/src/js/state.js +++ b/src/js/state.js @@ -135,13 +135,14 @@ export default async function () { ciphers, cipherSuites: ssc.ciphersuites, date, - dhCommand: ssc.dh_param_size >= 2048 ? `curl ${url.origin}/ffdhe${ssc.dh_param_size}.txt` : `openssl dhparam ${ssc.dh_param_size}`, + dhCommand: `curl ${url.origin}/ffdhe${ssc.dh_param_size}.txt`, dhParamSize: ssc.dh_param_size, fragment, hasVersions: configs[server].hasVersions !== false, header, hstsMaxAge: ssc.hsts_min_age, - hstsRedirectCode: 301, + //hstsRedirectCode: form['config'].value === 'old' ? 301 : 308, + hstsRedirectCode: 308, latestVersion: configs[server].latestVersion, link, oldestClients: ssc.oldest_clients, @@ -152,6 +153,8 @@ export default async function () { supportsHsts: configs[server].supportsHsts !== false, supportsOcspStapling: supportsOcspStapling, tlsCurves: ssc.tls_curves, + // XXX: If DHE ciphers removed from guidelines, then usesDhe, dhCommand, + // dhParamSize, and helpers/*.js code which uses them can be removed usesDhe: ciphers.join(":").includes(":DHE") || ciphers.join(":").includes("_DHE_"), usesOpenssl: configs[server].usesOpenssl !== false, }, diff --git a/src/static/guidelines/5.8.json b/src/static/guidelines/5.8.json index 71fe95e2..2d18c51b 100644 --- a/src/static/guidelines/5.8.json +++ b/src/static/guidelines/5.8.json @@ -38,10 +38,7 @@ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" ], "openssl": [ "ECDHE-ECDSA-AES128-GCM-SHA256", @@ -49,10 +46,7 @@ "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", - "ECDHE-RSA-CHACHA20-POLY1305", - "DHE-RSA-AES128-GCM-SHA256", - "DHE-RSA-AES256-GCM-SHA384", - "DHE-RSA-CHACHA20-POLY1305" + "ECDHE-RSA-CHACHA20-POLY1305" ] }, "ciphersuites": [ @@ -65,7 +59,7 @@ "hsts_min_age": 63072000, "maximum_certificate_lifespan": 366, "ocsp_staple": true, - "oldest_clients": ["Firefox 27", "Android 4.4.2", "Chrome 31", "Edge", "IE 11 on Windows 7", "Java 8u31", "OpenSSL 1.0.1", "Opera 20", "Safari 9"], + "oldest_clients": ["Firefox 31.3.0", "Android 4.4.2", "Chrome 49", "Edge 15 on Windows 10", "IE 11 on Windows 10", "Java 8u161", "OpenSSL 1.0.1l", "Opera 20", "Safari 9"], "recommended_certificate_lifespan": 90, "rsa_key_size": 2048, "server_preferred_order": false, @@ -84,9 +78,6 @@ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", @@ -95,8 +86,6 @@ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", @@ -112,9 +101,6 @@ "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", - "DHE-RSA-AES128-GCM-SHA256", - "DHE-RSA-AES256-GCM-SHA384", - "DHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA", @@ -123,8 +109,6 @@ "ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", - "DHE-RSA-AES128-SHA256", - "DHE-RSA-AES256-SHA256", "AES128-GCM-SHA256", "AES256-GCM-SHA384", "AES128-SHA256", @@ -139,7 +123,7 @@ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256" ], - "dh_param_size": 1024, + "dh_param_size": 2048, "ecdh_param_size": 256, "hsts_min_age": 63072000, "maximum_certificate_lifespan": 366, From bf23c1526c015fe07805aa9b061764516a87c24c Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Wed, 5 Mar 2025 02:11:11 -0500 Subject: [PATCH 5/8] update state.js to promote guideline 5.8 --- src/js/state.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/js/state.js b/src/js/state.js index 2d8c385b..aab5cb5c 100644 --- a/src/js/state.js +++ b/src/js/state.js @@ -3,8 +3,8 @@ import minver from './helpers/minver.js'; import { xmlEntities } from './utils.js'; const guidelines = {}; -guidelines['5.7'] = require(`../static/guidelines/5.7.json`); -const guideln_latest = '5.7'; // update these two lines when guideline changes +guidelines['5.8'] = require(`../static/guidelines/5.8.json`); +const guideln_latest = '5.8'; // update these two lines when guideline changes export default async function () { From 45d6a0dd1cebc15fd5ac3dff680be978216f4511 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Tue, 4 Mar 2025 19:02:10 -0500 Subject: [PATCH 6/8] copy 5.8 guideline to 6.0 and update version, href --- src/static/guidelines/6.0.json | 139 ++++++++++++++++++++++++++++++ src/static/guidelines/latest.json | 2 +- 2 files changed, 140 insertions(+), 1 deletion(-) create mode 100644 src/static/guidelines/6.0.json diff --git a/src/static/guidelines/6.0.json b/src/static/guidelines/6.0.json new file mode 100644 index 00000000..8c56a7f9 --- /dev/null +++ b/src/static/guidelines/6.0.json @@ -0,0 +1,139 @@ +{ + "version": 6.0, + "href": "https://ssl-config.mozilla.org/guidelines/6.0.json", + "configurations": { + "modern": { + "certificate_curves": ["prime256v1", "secp384r1"], + "certificate_signatures": ["ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"], + "certificate_types": ["ecdsa"], + "ciphers": { + "iana": [], + "openssl": [] + }, + "ciphersuites": [ + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256" + ], + "dh_param_size": null, + "ecdh_param_size": 256, + "hsts_min_age": 63072000, + "maximum_certificate_lifespan": 90, + "ocsp_staple": true, + "oldest_clients": ["Firefox 63", "Android 10.0", "Chrome 70", "Edge 75", "Java 11", "OpenSSL 1.1.1", "Opera 57", "Safari 12.1"], + "recommended_certificate_lifespan": 90, + "rsa_key_size": null, + "server_preferred_order": false, + "tls_curves": ["X25519", "prime256v1", "secp384r1"], + "tls_versions": ["TLSv1.3"] + }, + "intermediate": { + "certificate_curves": ["prime256v1", "secp384r1"], + "certificate_signatures": ["sha256WithRSAEncryption", "ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"], + "certificate_types": ["ecdsa", "rsa"], + "ciphers": { + "iana": [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" + ], + "openssl": [ + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDHE-RSA-AES128-GCM-SHA256", + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-RSA-AES256-GCM-SHA384", + "ECDHE-ECDSA-CHACHA20-POLY1305", + "ECDHE-RSA-CHACHA20-POLY1305" + ] + }, + "ciphersuites": [ + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256" + ], + "dh_param_size": 2048, + "ecdh_param_size": 256, + "hsts_min_age": 63072000, + "maximum_certificate_lifespan": 366, + "ocsp_staple": true, + "oldest_clients": ["Firefox 27", "Android 4.4.2", "Chrome 31", "Edge", "IE 11 on Windows 7", "Java 8u31", "OpenSSL 1.0.1", "Opera 20", "Safari 9"], + "recommended_certificate_lifespan": 90, + "rsa_key_size": 2048, + "server_preferred_order": false, + "tls_curves": ["X25519", "prime256v1", "secp384r1"], + "tls_versions": ["TLSv1.2", "TLSv1.3"] + }, + "old": { + "certificate_curves": ["prime256v1", "secp384r1"], + "certificate_signatures": ["sha256WithRSAEncryption"], + "certificate_types": ["rsa"], + "ciphers": { + "iana": [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA" + ], + "openssl": [ + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDHE-RSA-AES128-GCM-SHA256", + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-RSA-AES256-GCM-SHA384", + "ECDHE-ECDSA-CHACHA20-POLY1305", + "ECDHE-RSA-CHACHA20-POLY1305", + "ECDHE-ECDSA-AES128-SHA256", + "ECDHE-RSA-AES128-SHA256", + "ECDHE-ECDSA-AES128-SHA", + "ECDHE-RSA-AES128-SHA", + "ECDHE-ECDSA-AES256-SHA384", + "ECDHE-RSA-AES256-SHA384", + "ECDHE-ECDSA-AES256-SHA", + "ECDHE-RSA-AES256-SHA", + "AES128-GCM-SHA256", + "AES256-GCM-SHA384", + "AES128-SHA256", + "AES256-SHA256", + "AES128-SHA", + "AES256-SHA", + "DES-CBC3-SHA" + ] + }, + "ciphersuites": [ + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256" + ], + "dh_param_size": 2048, + "ecdh_param_size": 256, + "hsts_min_age": 63072000, + "maximum_certificate_lifespan": 366, + "ocsp_staple": true, + "oldest_clients": ["Firefox 1", "Android 2.3", "Chrome 1", "Edge 12", "IE8 on Windows XP", "Java 6", "OpenSSL 0.9.8", "Opera 5", "Safari 1"], + "recommended_certificate_lifespan": 90, + "rsa_key_size": 2048, + "server_preferred_order": true, + "tls_curves": ["X25519", "prime256v1", "secp384r1"], + "tls_versions": ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"] + } + } +} diff --git a/src/static/guidelines/latest.json b/src/static/guidelines/latest.json index 73921ebc..4cb7e59f 120000 --- a/src/static/guidelines/latest.json +++ b/src/static/guidelines/latest.json @@ -1 +1 @@ -5.8.json \ No newline at end of file +6.0.json \ No newline at end of file From f2987d2ca55c698353601e87abb94afeb476bd95 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Tue, 4 Mar 2025 19:10:20 -0500 Subject: [PATCH 7/8] proposed 6.0 guideline changes - remove "Old" configuration; "Old" configuration is not recommended For those who need to reference older guidance, older versions of the ssl-config-generator may be obtained from the Internet Archive (archive.org) https://web.archive.org/web/*/https://mozilla.github.io/server-side-tls/ssl-config-generator/ --- src/js/index.js | 1 + src/static/guidelines/6.0.json | 69 ---------------------------------- src/templates/index.ejs | 2 + 3 files changed, 3 insertions(+), 69 deletions(-) diff --git a/src/js/index.js b/src/js/index.js index 254ccc35..4ea70421 100755 --- a/src/js/index.js +++ b/src/js/index.js @@ -142,6 +142,7 @@ function form_config_init() { document.getElementById('ocsp').checked = true; } } + document.getElementById('config-old-compat').classList.toggle('d-none', (!isNaN(guideln) && guideln >= 6.0)); } for (let entry of params.entries()) { diff --git a/src/static/guidelines/6.0.json b/src/static/guidelines/6.0.json index 8c56a7f9..d28853f2 100644 --- a/src/static/guidelines/6.0.json +++ b/src/static/guidelines/6.0.json @@ -65,75 +65,6 @@ "server_preferred_order": false, "tls_curves": ["X25519", "prime256v1", "secp384r1"], "tls_versions": ["TLSv1.2", "TLSv1.3"] - }, - "old": { - "certificate_curves": ["prime256v1", "secp384r1"], - "certificate_signatures": ["sha256WithRSAEncryption"], - "certificate_types": ["rsa"], - "ciphers": { - "iana": [ - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" - ], - "openssl": [ - "ECDHE-ECDSA-AES128-GCM-SHA256", - "ECDHE-RSA-AES128-GCM-SHA256", - "ECDHE-ECDSA-AES256-GCM-SHA384", - "ECDHE-RSA-AES256-GCM-SHA384", - "ECDHE-ECDSA-CHACHA20-POLY1305", - "ECDHE-RSA-CHACHA20-POLY1305", - "ECDHE-ECDSA-AES128-SHA256", - "ECDHE-RSA-AES128-SHA256", - "ECDHE-ECDSA-AES128-SHA", - "ECDHE-RSA-AES128-SHA", - "ECDHE-ECDSA-AES256-SHA384", - "ECDHE-RSA-AES256-SHA384", - "ECDHE-ECDSA-AES256-SHA", - "ECDHE-RSA-AES256-SHA", - "AES128-GCM-SHA256", - "AES256-GCM-SHA384", - "AES128-SHA256", - "AES256-SHA256", - "AES128-SHA", - "AES256-SHA", - "DES-CBC3-SHA" - ] - }, - "ciphersuites": [ - "TLS_AES_128_GCM_SHA256", - "TLS_AES_256_GCM_SHA384", - "TLS_CHACHA20_POLY1305_SHA256" - ], - "dh_param_size": 2048, - "ecdh_param_size": 256, - "hsts_min_age": 63072000, - "maximum_certificate_lifespan": 366, - "ocsp_staple": true, - "oldest_clients": ["Firefox 1", "Android 2.3", "Chrome 1", "Edge 12", "IE8 on Windows XP", "Java 6", "OpenSSL 0.9.8", "Opera 5", "Safari 1"], - "recommended_certificate_lifespan": 90, - "rsa_key_size": 2048, - "server_preferred_order": true, - "tls_curves": ["X25519", "prime256v1", "secp384r1"], - "tls_versions": ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"] } } } diff --git a/src/templates/index.ejs b/src/templates/index.ejs index 0dc92fd8..79957ec0 100755 --- a/src/templates/index.ejs +++ b/src/templates/index.ejs @@ -69,6 +69,7 @@ General-purpose servers with a variety of clients, recommended for almost all systems
+
+
From 00ebc45df27a9842c9ed01ad20ca90de76ad2004 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Wed, 5 Mar 2025 02:26:49 -0500 Subject: [PATCH 8/8] update state.js to promote guideline 6.0 --- src/js/state.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/js/state.js b/src/js/state.js index aab5cb5c..73417db3 100644 --- a/src/js/state.js +++ b/src/js/state.js @@ -2,9 +2,10 @@ import configs from './configs.js'; import minver from './helpers/minver.js'; import { xmlEntities } from './utils.js'; +// note: guideln_latest for '6.0' is rendered as number 6 in guidelines[], not string '6.0' +const guideln_latest = '6.0'; // update when guideline changes const guidelines = {}; -guidelines['5.8'] = require(`../static/guidelines/5.8.json`); -const guideln_latest = '5.8'; // update these two lines when guideline changes +guidelines[guideln_latest] = require(`../static/guidelines/${guideln_latest}.json`); export default async function () {