зеркало из https://github.com/mozilla/gecko-dev.git
175 строки
7.3 KiB
Plaintext
175 строки
7.3 KiB
Plaintext
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
#
|
|
# This file enables policy testing
|
|
#
|
|
# The policy string is set to the config= line in the pkcs11.txt
|
|
# it currently has 2 keywords:
|
|
#
|
|
# disallow= turn off the use of this algorithm by policy.
|
|
# allow= allow this algorithm to by used if selected by policy.
|
|
#
|
|
# The syntax is disallow=algorithm{/uses}:algorithm{/uses}
|
|
# where {} signifies an optional element
|
|
#
|
|
# valid algorithms are:
|
|
# ECC curves:
|
|
# PRIME192V1
|
|
# PRIME192V2
|
|
# PRIME192V3
|
|
# PRIME239V1
|
|
# PRIME239V2
|
|
# PRIME239V3
|
|
# PRIME256V1
|
|
# SECP112R1
|
|
# SECP112R2
|
|
# SECP128R1
|
|
# SECP128R2
|
|
# SECP160K1
|
|
# SECP160R1
|
|
# SECP160R2
|
|
# SECP192K1
|
|
# SECP192R1
|
|
# SECP224K1
|
|
# SECP256K1
|
|
# SECP256R1
|
|
# SECP384R1
|
|
# SECP521R1
|
|
# C2PNB163V1
|
|
# C2PNB163V2
|
|
# C2PNB163V3
|
|
# C2PNB176V1
|
|
# C2TNB191V1
|
|
# C2TNB191V2
|
|
# C2TNB191V3
|
|
# C2ONB191V4
|
|
# C2ONB191V5
|
|
# C2PNB208W1
|
|
# C2TNB239V1
|
|
# C2TNB239V2
|
|
# C2TNB239V3
|
|
# C2ONB239V4
|
|
# C2ONB239V5
|
|
# C2PNB272W1
|
|
# C2PNB304W1
|
|
# C2TNB359V1
|
|
# C2PNB368W1
|
|
# C2TNB431R1
|
|
# SECT113R1
|
|
# SECT131R1
|
|
# SECT131R1
|
|
# SECT131R2
|
|
# SECT163K1
|
|
# SECT163R1
|
|
# SECT163R2
|
|
# SECT193R1
|
|
# SECT193R2
|
|
# SECT233K1
|
|
# SECT233R1
|
|
# SECT239K1
|
|
# SECT283K1
|
|
# SECT283R1
|
|
# SECT409K1
|
|
# SECT409R1
|
|
# SECT571K1
|
|
# SECT571R1
|
|
# Hashes:
|
|
# MD2
|
|
# MD4
|
|
# MD5
|
|
# SHA1
|
|
# SHA224
|
|
# SHA256
|
|
# SHA384
|
|
# SHA512
|
|
# MACs:
|
|
# HMAC-SHA1
|
|
# HMAC-SHA224
|
|
# HMAC-SHA256
|
|
# HMAC-SHA384
|
|
# HMAC-SHA512
|
|
# HMAC-MD5
|
|
# Ciphers:
|
|
# AES128-CBC
|
|
# AES192-CBC
|
|
# AES256-CBC
|
|
# AES128-GCM
|
|
# AES192-GCM
|
|
# AES256-GCM
|
|
# CAMELLIA128-CBC
|
|
# CAMELLIA192-CBC
|
|
# CAMELLIA256-CBC
|
|
# SEED-CBC
|
|
# DES-EDE3-CBC
|
|
# DES-40-CBC
|
|
# DES-CBC
|
|
# NULL-CIPHER
|
|
# RC2
|
|
# RC4
|
|
# IDEA
|
|
# Key exchange
|
|
# RSA
|
|
# RSA-EXPORT
|
|
# DHE-RSA
|
|
# DHE-DSS
|
|
# DH-RSA
|
|
# DH-DSS
|
|
# ECDHE-ECDSA
|
|
# ECDHE-RSA
|
|
# ECDH-ECDSA
|
|
# ECDH-RSA
|
|
# SSL Versions
|
|
# SSL2.0
|
|
# SSL3.0
|
|
# TLS1.0
|
|
# TLS1.1
|
|
# TLS1.2
|
|
# DTLS1.1
|
|
# DTLS1.2
|
|
# Include all of the above:
|
|
# ALL
|
|
#-----------------------------------------------
|
|
# Uses are:
|
|
# ssl
|
|
# ssl-key-exchange
|
|
# key-exchange (includes ssl-key-exchange)
|
|
# cert-signature
|
|
# signature (includes cert-signature)
|
|
# all (includes all of the above)
|
|
#-----------------------------------------------
|
|
# In addition there are the following options:
|
|
# min-rsa
|
|
# min-dh
|
|
# min-dsa
|
|
# they have the following syntax:
|
|
# allow=min-rsa=512:min-dh=1024
|
|
#
|
|
# Exp Enable Enable Cipher Config Policy Test Name
|
|
# Ret EC TLS
|
|
# turn on single cipher
|
|
0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
|
|
0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
|
|
0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
|
|
1 noECC SSL3 d disallow=all Disallow All Explicitly.
|
|
# turn off signature only
|
|
1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly.
|
|
1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
|
|
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
|
|
# turn off single cipher
|
|
1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly
|
|
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
|
|
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
|
|
# turn off H-Mac
|
|
1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly
|
|
1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
|
|
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
|
|
# turn off key exchange
|
|
1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
|
|
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
|
|
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
|
|
# turn off version
|
|
1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
|
|
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.
|
|
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly.
|