diff options
| -rwxr-xr-x | certs/gencerts.sh | 8 | ||||
| -rw-r--r-- | roles/common-web/files/etc/nginx/snippets/ssl.conf | 4 |
2 files changed, 6 insertions, 6 deletions
diff --git a/certs/gencerts.sh b/certs/gencerts.sh index 8164945..181767e 100755 --- a/certs/gencerts.sh +++ b/certs/gencerts.sh @@ -5,42 +5,42 @@ PATH=/usr/bin:/bin if [ -n "${GNUPGBIN:-}" ]; then GPG="$GNUPGBIN" elif [ -x /usr/bin/gpg2 ]; then GPG=/usr/bin/gpg2 else GPG=gpg fi GPG_OPTS='--no-auto-check-trustdb --batch --no-verbose --yes' usage() { echo "Usage: $0 /path/to/certs.asc" >&2 exit 1 } x509fpr() { local msg="$1" host cert h spki host="${msg%%,*}"; host="${msg%% *}" cert="$DIR/${host%%:*}.pem" spki=$(openssl x509 -noout -pubkey<"$cert" | openssl pkey -pubin -outform DER | openssl dgst -sha1 | sed -nr 's/^[^=]+=\s*//p') - [ "$typ" = mdwn ] && printf '\n [[%s|https://crt.sh/?spkisha1=%s&iCAID=7395]]\n\n' "$msg" "$spki" \ - || printf ' %s\n X.509: https://crt.sh/?spkisha1=%s&iCAID=7395\n SPKI:\n' "$msg" "$spki" + [ "$typ" = mdwn ] && printf '\n [[%s|https://crt.sh/?spkisha1=%s&iCAID=16418]]\n\n' "$msg" "$spki" \ + || printf ' %s\n X.509: https://crt.sh/?spkisha1=%s&iCAID=16418\n SPKI:\n' "$msg" "$spki" for h in sha1 sha256; do [ "$typ" = mdwn ] || echo -n ' ' echo -n "$h" | tr '[a-z]' '[A-Z]' for i in $(seq 1 $((7 - ${#h}))); do echo -n ' '; done openssl x509 -noout -pubkey<"$cert" | openssl pkey -pubin -outform DER | openssl dgst -"$h" -c | sed -nr 's/^[^=]+=\s*//p' done | sed -r "s/(\S+)(.*)/$indent\1\U\2/" } sshfpr() { local msg="$1" host t h fpr host="${msg%%,*}"; host="${msg%% *}"; host="${host#*@}" [ "$typ" = mdwn ] && { echo; echo " $msg"; echo; } || echo " $msg" [ "${host#*:}" != 22 ] || host="${host%%:*}" for h in MD5 SHA256; do ssh-keygen -E "$h" -f "$DIR/../ssh_known_hosts" -lF "${host#*@}" done | sed -nr 's/^[^ #]+\s+//p' | sed -r 's/^(\S+)\s+(MD5|SHA256):/\1 \2 /' | while read t h fpr; do echo -n "$indent$t" for i in $(seq 1 $((7 - ${#h}))); do echo -n ' '; done echo "$h:$fpr" @@ -89,71 +89,71 @@ VCS_BROWSER='https://git.fripost.org/fripost-ansible' trap 'rm -f "$src" "$src2" "$asc2" "$mdwn2"' EXIT if [ -s "$asc" ]; then "$GPG" $GPG_OPTS --logger-file=/dev/null --output="$src" -- "$asc" fi # Generate ASCII file to be clearsigned cat >"$src2" << EOF The following is an up-to date list of SHA-1 and SHA-256 fingerprints of all SPKI (Subject Public Key Info) of each X.509 certificate Fripost uses on its publicly available services. Please consider any mismatch as a man-in-the-middle attack, and let us know immediately! -- admin@fripost.org These certificates are all issued by the Let's Encrypt Certificate Authority, and are submitted to Certificate Transparency logs. You can view all issued Let's Encrypt certificates at crt.sh: - https://crt.sh/?Identity=%25fripost.org&iCAID=7395 + https://crt.sh/?Identity=%25fripost.org&iCAID=16418 Our X.509 certificates are also available in PEM format at: $VCS_BROWSER/tree/certs/public , Git repository from which this fingerprint list was generated, at commit ID $(git --no-pager --git-dir="$DIR/../../.git" --work-tree="$DIR" log -1 --pretty=format:'%h from %aD' -- "$DIR"). EOF allfpr asc >>"$src2" # Generate markdown file cat >"$mdwn2" << EOF # Certificates at Fripost The following is an up-to date list of SHA-1 and SHA-256 fingerprints of all SPKI (Subject Public Key Info) of each X.509 certificate Fripost uses on its publicly available services. Please consider any mismatch as a man-in-the-middle attack, and let us know immediately! (See also the [[signed version of this page|certs.asc]].) -- [[admin@fripost.org|mailto:admin@fripost.org]] These certificates are all issued by the [[Let's Encrypt Certificate Authority|https://letsencrypt.org]], and are submitted to [[Certificate Transparency logs|https://www.certificate-transparency.org]]. You can view all issued Let's Encrypt certificates at -[[crt.sh|https://crt.sh/?Identity=%25fripost.org&iCAID=7395]]. +[[crt.sh|https://crt.sh/?Identity=%25fripost.org&iCAID=16418]]. Our X.509 certificates are also available in PEM format under our [[Git repository|$VCS_BROWSER/tree/certs/public]], from which this fingerprint list was [[generated|$VCS_BROWSER/tree/certs/gencerts.sh]], at $(git --no-pager --git-dir="$DIR/../../.git" --work-tree="$DIR" log -1 --pretty=format:"[[Commit ID %h from %aD|$VCS_BROWSER/tree/certs/public?id=%H]]" -- "$DIR"). EOF allfpr mdwn >>"$mdwn2" echo >>"$src2" if diff -u --label "a/${asc%.asc}" --label "b/${asc%.asc}" -- "$src" "$src2" && diff -q -- "$mdwn" "$mdwn2" >/dev/null; then echo 'The fingerprint list is up to date.' else "$GPG" $GPG_OPTS --output="$asc2" --clearsign -- "$src2" cp -f "$asc2" "$asc" cp -f "$mdwn2" "$mdwn" echo ================================ echo "The fingerprint lists ($asc and $mdwn) have been updated!" diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf index 0f989b8..1403846 100644 --- a/roles/common-web/files/etc/nginx/snippets/ssl.conf +++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf @@ -1,30 +1,30 @@ # https://wiki.mozilla.org/Security/Server_Side_TLS # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate -# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem +# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem ssl on; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/ssl/private/dhparams.pem; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security 'max-age=15768000; includeSubdomains'; # OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them # https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs -ssl_trusted_certificate /usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem; +ssl_trusted_certificate /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem; |