tests/ssl/sslpolicy.txt
author J.C. Jones <jjones@mozilla.com>
Fri, 21 Jun 2019 14:39:01 -0700
branchNSS_3_36_BRANCH
changeset 15182 de60f2b7f0c3fac0537346f1077f03d6d849edc5
parent 11779 0d419662b42db191538ddca1efc3121d08563044
child 15028 4bc22e14a5926cf38cf746155e050da395442cce
permissions -rw-r--r--
Added tag NSS_3_36_8_RTM for changeset df8917878ea6

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This file enables policy testing
#
# The policy string is set to the config= line in the pkcs11.txt
# it currently has 2 keywords:
#
# disallow= turn off the use of this algorithm by policy.
# allow= allow this algorithm to by used if selected by policy.
#
# The syntax is disallow=algorithm{/uses}:algorithm{/uses}
# where {} signifies an optional element
#
# valid algorithms are:
# ECC curves:
#	PRIME192V1
#	PRIME192V2
#	PRIME192V3
#	PRIME239V1
#	PRIME239V2
#	PRIME239V3
#	PRIME256V1
#	SECP112R1
#	SECP112R2
#	SECP128R1
#	SECP128R2
#	SECP160K1
#	SECP160R1
#	SECP160R2
#	SECP192K1
#	SECP192R1
#	SECP224K1
#	SECP256K1
#	SECP256R1
#	SECP384R1
#	SECP521R1
#	C2PNB163V1
#	C2PNB163V2
#	C2PNB163V3
#	C2PNB176V1
#	C2TNB191V1
#	C2TNB191V2
#	C2TNB191V3
#	C2ONB191V4
#	C2ONB191V5
#	C2PNB208W1
#	C2TNB239V1
#	C2TNB239V2
#	C2TNB239V3
#	C2ONB239V4
#	C2ONB239V5
#	C2PNB272W1
#	C2PNB304W1
#	C2TNB359V1
#	C2PNB368W1
#	C2TNB431R1
#	SECT113R1
#	SECT131R1
#	SECT131R1
#	SECT131R2
#	SECT163K1
#	SECT163R1
#	SECT163R2
#	SECT193R1
#	SECT193R2
#	SECT233K1
#	SECT233R1
#	SECT239K1
#	SECT283K1
#	SECT283R1
#	SECT409K1
#	SECT409R1
#	SECT571K1
#	SECT571R1
# Hashes:
#	MD2
#	MD4
#	MD5
#	SHA1
#	SHA224
#	SHA256
#	SHA384
#	SHA512
# MACs:
#	HMAC-SHA1
#	HMAC-SHA224
#	HMAC-SHA256
#	HMAC-SHA384
#	HMAC-SHA512
#	HMAC-MD5
# Ciphers:
#	AES128-CBC
#	AES192-CBC
#	AES256-CBC
#	AES128-GCM
#	AES192-GCM
#	AES256-GCM
#	CAMELLIA128-CBC
#	CAMELLIA192-CBC
#	CAMELLIA256-CBC
#	SEED-CBC
#	DES-EDE3-CBC
#	DES-40-CBC
#	DES-CBC
#	NULL-CIPHER
#	RC2
#	RC4
#	IDEA
# Key exchange
#	RSA
#	RSA-EXPORT
#	DHE-RSA
#	DHE-DSS
#	DH-RSA
#	DH-DSS
#	ECDHE-ECDSA
#	ECDHE-RSA
#	ECDH-ECDSA
#	ECDH-RSA
# SSL Versions
#	SSL2.0
#	SSL3.0
#	TLS1.0
#	TLS1.1
#	TLS1.2
#	DTLS1.1
#	DTLS1.2
# Include all of the above:
#       ALL
#-----------------------------------------------
# Uses are:
#    ssl
#    ssl-key-exchange
#    key-exchange (includes ssl-key-exchange)
#    cert-signature
#    signature (includes cert-signature)
#    all (includes all of the above)
#-----------------------------------------------
# In addition there are the following options:
#     min-rsa
#     min-dh
#     min-dsa
#  they have the following syntax:
#  allow=min-rsa=512:min-dh=1024
#
# Exp Enable Enable Cipher Config Policy      Test Name
# Ret  EC     TLS
# turn on single cipher 
  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
  0 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
  1 noECC  SSL3   d    disallow=all Disallow All Explicitly.
# turn off signature only
  1 noECC  SSL3   d    disallow=sha256 Disallow SHA256 Signatures Explicitly.
  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
# turn off single cipher 
  1 noECC  SSL3   d    disallow=des-ede3-cbc Disallow Cipher Explicitly
  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
# turn off H-Mac
  1 noECC  SSL3   d    disallow=hmac-sha1 Disallow HMAC Explicitly
  1 noECC  SSL3   d    disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
# turn off key exchange 
  1 noECC  SSL3   d    disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
# turn off  version
  1 noECC  SSL3   d    allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.
  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly.