[ tor-browser ].git.dasho

sslpolicy.txt (10100B)
      1 # This Source Code Form is subject to the terms of the Mozilla Public
      2 # License, v. 2.0. If a copy of the MPL was not distributed with this
      3 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
      4 #
      5 # This file enables policy testing
      6 #
      7 # The policy string is set to the config= line in the pkcs11.txt
      8 # it currently has 2 keywords:
      9 #
     10 # disallow= turn off the use of this algorithm by policy. (implies disable)
     11 # allow= allow this algorithm to by used if selected by policy.
     12 # disable= turn off the use of this algorithm even if allowed by policy 
     13 #          (application can override)
     14 # enable= turn off this algorithm by default (implies allow)
     15 # flags= policy-lock: can't change policy with NSS_SetAlgorithmPolicy,
     16 #  NSS_SetOption, or SSL_SetCipherPolicy
     17 #        ssl-lock: can't change the cipher suite settings with the application.
     18 #
     19 # The syntax is disallow=algorithm{/uses}:algorithm{/uses}
     20 # where {} signifies an optional element
     21 #
     22 # valid algorithms are:
     23 # ECC curves:
     24 #	PRIME192V1
     25 #	PRIME192V2
     26 #	PRIME192V3
     27 #	PRIME239V1
     28 #	PRIME239V2
     29 #	PRIME239V3
     30 #	PRIME256V1
     31 #	SECP112R1
     32 #	SECP112R2
     33 #	SECP128R1
     34 #	SECP128R2
     35 #	SECP160K1
     36 #	SECP160R1
     37 #	SECP160R2
     38 #	SECP192K1
     39 #	SECP192R1
     40 #	SECP224K1
     41 #	SECP256K1
     42 #	SECP256R1
     43 #	SECP384R1
     44 #	SECP521R1
     45 #	C2PNB163V1
     46 #	C2PNB163V2
     47 #	C2PNB163V3
     48 #	C2PNB176V1
     49 #	C2TNB191V1
     50 #	C2TNB191V2
     51 #	C2TNB191V3
     52 #	C2ONB191V4
     53 #	C2ONB191V5
     54 #	C2PNB208W1
     55 #	C2TNB239V1
     56 #	C2TNB239V2
     57 #	C2TNB239V3
     58 #	C2ONB239V4
     59 #	C2ONB239V5
     60 #	C2PNB272W1
     61 #	C2PNB304W1
     62 #	C2TNB359V1
     63 #	C2PNB368W1
     64 #	C2TNB431R1
     65 #	SECT113R1
     66 #	SECT131R1
     67 #	SECT131R1
     68 #	SECT131R2
     69 #	SECT163K1
     70 #	SECT163R1
     71 #	SECT163R2
     72 #	SECT193R1
     73 #	SECT193R2
     74 #	SECT233K1
     75 #	SECT233R1
     76 #	SECT239K1
     77 #	SECT283K1
     78 #	SECT283R1
     79 #	SECT409K1
     80 #	SECT409R1
     81 #	SECT571K1
     82 #	SECT571R1
     83 # Signatures:
     84 #	DSA
     85 #	RSA-PKCS
     86 #	RSA-PSS
     87 #       ECDSA
     88 # Hashes:
     89 #	MD2
     90 #	MD4
     91 #	MD5
     92 #	SHA1
     93 #	SHA224
     94 #	SHA256
     95 #	SHA384
     96 #	SHA512
     97 # MACs:
     98 #	HMAC-SHA1
     99 #	HMAC-SHA224
    100 #	HMAC-SHA256
    101 #	HMAC-SHA384
    102 #	HMAC-SHA512
    103 #	HMAC-MD5
    104 # Ciphers:
    105 #	AES128-CBC
    106 #	AES192-CBC
    107 #	AES256-CBC
    108 #	AES128-GCM
    109 #	AES192-GCM
    110 #	AES256-GCM
    111 #	CAMELLIA128-CBC
    112 #	CAMELLIA192-CBC
    113 #	CAMELLIA256-CBC
    114 #	SEED-CBC
    115 #	DES-EDE3-CBC
    116 #	DES-40-CBC
    117 #	DES-CBC
    118 #	NULL-CIPHER
    119 #	RC2
    120 #	RC4
    121 #	IDEA
    122 # Key exchange
    123 #	RSA
    124 #	RSA-EXPORT
    125 #	DHE-RSA
    126 #	DHE-DSS
    127 #	DH-RSA
    128 #	DH-DSS
    129 #	ECDHE-ECDSA
    130 #	ECDHE-RSA
    131 #	ECDH-ECDSA
    132 #	ECDH-RSA
    133 # SSL Versions
    134 #	SSL2.0
    135 #	SSL3.0
    136 #	TLS1.0
    137 #	TLS1.1
    138 #	TLS1.2
    139 #	DTLS1.1
    140 #	DTLS1.2
    141 # Include all of the above:
    142 #       ALL
    143 #-----------------------------------------------
    144 # Uses are:
    145 #    ssl
    146 #    ssl-key-exchange
    147 #    key-exchange (includes ssl-key-exchange)
    148 #    cert-signature
    149 #    all-signature (includes cert-signature)
    150 #    signature (all signatures off, some signature allowed based on other option)
    151 #    all (includes all of the above)
    152 #-----------------------------------------------
    153 # In addition there are the following options:
    154 #     min-rsa
    155 #     min-dh
    156 #     min-dsa
    157 #  they have the following syntax:
    158 #  allow=min-rsa=512:min-dh=1024
    159 #
    160 # in the following tests, we use the cipher suite 'd':
    161 # d    SSL3 RSA WITH 3DES EDE CBC SHA  (=:000a).
    162 # NOTE: the certificates used in validation are rsa-pkcs1/sha256 signed.
    163 #
    164 # Exp Enable Enable Cipher Config Policy      Test Name
    165 # Ret  EC     TLS
    166 # turn on single cipher 
    167  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
    168  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/all-signature:rsa-pkcs/all-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
    169  0 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:dsa/all:rsa-pss/all:ecdsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
    170  1 noECC  SSL3   d    disallow=all Disallow All Explicitly
    171 # turn off signature only
    172  1 noECC  SSL3   d    disallow=all/signature Disallow all signatures with Explicitly
    173  1 noECC  SSL3   d    disallow=sha256 Disallow SHA256 Explicitly
    174  1 noECC  SSL3   d    disallow=sha256/cert-signature Disallow SHA256 Certificate signature Explicitly
    175  1 noECC  SSL3   d    disallow=sha256/signature Disallow All SHA256 signatures Explicitly
    176  1 noECC  SSL3   d    disallow=sha256/all-signature Disallow Any SHA256 signature Explicitly
    177  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow
    178  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:dsa/all:ecdsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly
    179 # turn off single cipher 
    180  1 noECC  SSL3   d    disallow=des-ede3-cbc Disallow Cipher Explicitly
    181  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow
    182  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly
    183 # turn off H-Mac
    184  1 noECC  SSL3   d    disallow=hmac-sha1 Disallow HMAC Explicitly
    185  1 noECC  SSL3   d    disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow
    186  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly
    187 # turn off key exchange 
    188  1 noECC  SSL3   d    disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly
    189  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow
    190  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchange Signatures Implicitly
    191 # turn off  version
    192  1 noECC  SSL3   d    allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
    193  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
    194  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
    195  0 noECC  SSL3   d    disallow=dsa Disallow DSA Signatures Explicitly
    196  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
    197  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
    198  0 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
    199  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
    200  0 noECC  SSL3   d    allow=rsa-min=1023 Restrict RSA keys when used in SSL
    201 # test default settings
    202 # NOTE: tstclient will attempt to overide the defaults, so we detect we
    203 # were successful by locking in our settings
    204  0 noECC  SSL3   d    allow=all_disable=all Disable all by default, application override
    205  1 noECC SSL3    d    allow=all_disable=all_flags=ssl-lock,policy-lock Disable all by default, prevent application from enabling
    206  0 noECC SSL3    d    allow=all_disable=all_flags=policy-lock Disable all by default, lock policy (application can still change the ciphers)
    207 # explicitly enable :002f  RSA_AES_128_CBC_SHA1 and lock it in
    208  0 noECC SSL3    d    allow=all_disable=all_enable=hmac-sha1:sha256:rsa-pkcs:rsa:aes128-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0_flags=ssl-lock Lock in a different ciphersuite that the one the application asks for
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE