Skip to content

Instantly share code, notes, and snippets.

@lrstewart

lrstewart/default.diff Secret

Last active May 28, 2024 17:55
Show Gist options
  • Save lrstewart/112309644c7ed39be9682a5dfca49f8e to your computer and use it in GitHub Desktop.
Save lrstewart/112309644c7ed39be9682a5dfca49f8e to your computer and use it in GitHub Desktop.
Download ZIP
defaults v3
Raw
default.diff
diff --git a/default.old b/default.new
index 0cd3d4dc6..5e6a085f9 100644
--- a/default.old
+++ b/default.new
@@ -1,29 +1,32 @@
-name: 20170210
-min version: TLS1.0
+name: 20240501
+min version: TLS1.2
rules:
-- Perfect Forward Secrecy: no
+- Perfect Forward Secrecy: yes
- FIPS 140-3 (2019): no
cipher suites:
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
-- TLS_RSA_WITH_AES_128_GCM_SHA256
-- TLS_RSA_WITH_AES_128_CBC_SHA256
-- TLS_RSA_WITH_AES_128_CBC_SHA
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
signature schemes:
-- rsa_pkcs1_sha256
-- rsa_pkcs1_sha384
-- rsa_pkcs1_sha512
-- legacy_rsa_pkcs1_sha224
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
-- legacy_ecdsa_sha224
-- rsa_pkcs1_sha1
-- ecdsa_sha1
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
curves:
- secp256r1
+- x25519
- secp384r1
+- secp521r1
Raw
default.new
name: 20240501
min version: TLS1.2
rules:
- Perfect Forward Secrecy: yes
- FIPS 140-3 (2019): no
cipher suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
signature schemes:
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
- rsa_pss_pss_sha256
- rsa_pss_pss_sha384
- rsa_pss_pss_sha512
- rsa_pss_rsae_sha256
- rsa_pss_rsae_sha384
- rsa_pss_rsae_sha512
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
curves:
- secp256r1
- x25519
- secp384r1
- secp521r1
Raw
default.old
name: 20170210
min version: TLS1.0
rules:
- Perfect Forward Secrecy: no
- FIPS 140-3 (2019): no
cipher suites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
signature schemes:
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
- legacy_rsa_pkcs1_sha224
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
- legacy_ecdsa_sha224
- rsa_pkcs1_sha1
- ecdsa_sha1
curves:
- secp256r1
- secp384r1
Raw
default_fips.diff
diff --git a/default_fips.old b/default_fips.new
index 43f0ea904..a06198b37 100644
--- a/default_fips.old
+++ b/default_fips.new
@@ -1,4 +1,4 @@
-name: 20240416
+name: 20240502
min version: TLS1.2
rules:
- Perfect Forward Secrecy: yes
@@ -12,25 +12,34 @@ cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
-- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
-- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
-- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
signature schemes:
-- rsa_pkcs1_sha256
-- rsa_pkcs1_sha384
-- rsa_pkcs1_sha512
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
-- legacy_ecdsa_sha224
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
+- rsa_pkcs1_sha256
+- rsa_pkcs1_sha384
+- rsa_pkcs1_sha512
curves:
- secp256r1
- secp384r1
+- secp521r1
certificate signature schemes:
+- rsa_pss_pss_sha256
+- rsa_pss_pss_sha384
+- rsa_pss_pss_sha512
+- rsa_pss_rsae_sha256
+- rsa_pss_rsae_sha384
+- rsa_pss_rsae_sha512
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
+- legacy_rsa_pkcs1_sha224
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
Raw
default_fips.new
name: 20240502
min version: TLS1.2
rules:
- Perfect Forward Secrecy: yes
- FIPS 140-3 (2019): yes
cipher suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
signature schemes:
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
- rsa_pss_pss_sha256
- rsa_pss_pss_sha384
- rsa_pss_pss_sha512
- rsa_pss_rsae_sha256
- rsa_pss_rsae_sha384
- rsa_pss_rsae_sha512
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
curves:
- secp256r1
- secp384r1
- secp521r1
certificate signature schemes:
- rsa_pss_pss_sha256
- rsa_pss_pss_sha384
- rsa_pss_pss_sha512
- rsa_pss_rsae_sha256
- rsa_pss_rsae_sha384
- rsa_pss_rsae_sha512
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
- legacy_rsa_pkcs1_sha224
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
- legacy_ecdsa_sha224
Raw
default_fips.old
name: 20240416
min version: TLS1.2
rules:
- Perfect Forward Secrecy: yes
- FIPS 140-3 (2019): yes
cipher suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
signature schemes:
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
- legacy_ecdsa_sha224
curves:
- secp256r1
- secp384r1
certificate signature schemes:
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
- legacy_ecdsa_sha224
Raw
default_tls13.diff
diff --git a/default_tls13.old b/default_tls13.new
index 7db2c56b8..e97bd0002 100644
--- a/default_tls13.old
+++ b/default_tls13.new
@@ -1,7 +1,7 @@
-name: 20240417
-min version: TLS1.0
+name: 20240503
+min version: TLS1.2
rules:
-- Perfect Forward Secrecy: no
+- Perfect Forward Secrecy: yes
- FIPS 140-3 (2019): no
cipher suites:
- TLS_AES_128_GCM_SHA256
@@ -13,16 +13,14 @@ cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
-- TLS_RSA_WITH_AES_128_GCM_SHA256
-- TLS_RSA_WITH_AES_128_CBC_SHA256
-- TLS_RSA_WITH_AES_128_CBC_SHA
signature schemes:
+- ecdsa_sha256
+- ecdsa_sha384
+- ecdsa_sha512
- rsa_pss_pss_sha256
- rsa_pss_pss_sha384
- rsa_pss_pss_sha512
@@ -32,17 +30,11 @@ signature schemes:
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
-- legacy_rsa_pkcs1_sha224
-- ecdsa_sha256
-- ecdsa_sha384
-- ecdsa_sha512
-- legacy_ecdsa_sha224
-- rsa_pkcs1_sha1
-- ecdsa_sha1
curves:
-- x25519
- secp256r1
+- x25519
- secp384r1
+- secp521r1
certificate signature schemes:
- rsa_pss_pss_sha256
- rsa_pss_pss_sha384
Raw
default_tls13.new
name: 20240503
min version: TLS1.2
rules:
- Perfect Forward Secrecy: yes
- FIPS 140-3 (2019): no
cipher suites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
signature schemes:
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
- rsa_pss_pss_sha256
- rsa_pss_pss_sha384
- rsa_pss_pss_sha512
- rsa_pss_rsae_sha256
- rsa_pss_rsae_sha384
- rsa_pss_rsae_sha512
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
curves:
- secp256r1
- x25519
- secp384r1
- secp521r1
certificate signature schemes:
- rsa_pss_pss_sha256
- rsa_pss_pss_sha384
- rsa_pss_pss_sha512
- rsa_pss_rsae_sha256
- rsa_pss_rsae_sha384
- rsa_pss_rsae_sha512
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
- legacy_rsa_pkcs1_sha224
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
- legacy_ecdsa_sha224
Raw
default_tls13.old
name: 20240417
min version: TLS1.0
rules:
- Perfect Forward Secrecy: no
- FIPS 140-3 (2019): no
cipher suites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
signature schemes:
- rsa_pss_pss_sha256
- rsa_pss_pss_sha384
- rsa_pss_pss_sha512
- rsa_pss_rsae_sha256
- rsa_pss_rsae_sha384
- rsa_pss_rsae_sha512
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
- legacy_rsa_pkcs1_sha224
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
- legacy_ecdsa_sha224
- rsa_pkcs1_sha1
- ecdsa_sha1
curves:
- x25519
- secp256r1
- secp384r1
certificate signature schemes:
- rsa_pss_pss_sha256
- rsa_pss_pss_sha384
- rsa_pss_pss_sha512
- rsa_pss_rsae_sha256
- rsa_pss_rsae_sha384
- rsa_pss_rsae_sha512
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
- legacy_rsa_pkcs1_sha224
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
- legacy_ecdsa_sha224
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment