# A level that will provide security on a conservative level that is
# believed to withstand any near-term future attacks. That will be
# an 112-bit security level, without including protocols with known
# attacks available (e.g. SSL 3.0). This level may prevent communication
# with many used systems that provide weaker security levels (e.g.,
# systems that use SHA-1 as signature algorithm).

# MACs: SHA1+
# Curves: of size 256+ or better
# Signature algorithms: must use SHA-256 hash or better
# Ciphers: AES-GCM, AES-CCM, AES-CBC, CAMELLIA-GCM, CAMELLIA-CBC
# Key exchange: ECDHE, RSA, DHE
# DH params size: 2048+
# RSA params size: 2048+
# Protocols: TLS1.2+

CONFIG_GNUTLS="$(cat <<EOF
SYSTEM=NONE:+VERS-TLS1.2:\
+VERS-DTLS1.2:\
+AEAD:+SHA1:+SHA256:+SHA384:\
+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:\
+AES-256-GCM:+AES-256-CCM:+AES-256-CBC:+CAMELLIA-256-GCM:+CAMELLIA-256-CBC:\
+AES-128-GCM:+AES-128-CCM:+AES-128-CBC:+CAMELLIA-128-GCM:+CAMELLIA-128-CBC:\
+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:\
+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+COMP-NULL:%PROFILE_MEDIUM
EOF
)"

CONFIG_GNUTLS28="$(cat <<EOF
SYSTEM=NONE:+VERS-TLS1.2:\
+VERS-DTLS1.2:\
+AEAD:+SHA1:+SHA256:+SHA384:\
+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:\
+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-GCM:+CAMELLIA-256-CBC:\
+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-GCM:+CAMELLIA-128-CBC:\
+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-RSA-SHA1:-SIGN-DSA-SHA1:-SIGN-ECDSA-SHA1:\
+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+COMP-NULL:%PROFILE_MEDIUM
EOF
)"

# By using "!SSLv2:!SSLv3" we get the TLS 1.2-only ciphersuites;
# that is not ideal, but it is better than nothing.
# we explicitly allow the PSK ciphersuites in openssl as OpenSSL
# enables them by default.
CONFIG_OPENSSL="$(cat <<EOF
!SSLv2:!SSLv3:kEECDH:kRSA:kEDH:kPSK:\
!aNULL:!eNULL:!3DES:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES
EOF
)"


# Configuration for Bind
CONFIG_BIND="$(cat <<EOF
disable-algorithms "."  {
RSAMD5;
DSA;
NSECRSASHA1;
RSASHA1;
};
disable-ds-digests "."  {
SHA1;
};
EOF
)"

# Configuration for Java
CONFIG_JAVA="$(cat <<EOF
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv2, SSLv3, TLSv1, TLSv1.1, DH keySize < 2048, \
 HmacMD5, K_NULL, C_NULL, M_NULL, \
 DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
 DH_RSA_EXPORT, RSA_EXPORT, DH_anon, ECDH_anon, RC4_128, RC4_40, DES_CBC, \
 DES40_CBC, RC2, 3DES_EDE_CBC
jdk.tls.legacyAlgorithms=
EOF
)"

# Configuration for libkrb5
CONFIG_KRB5="$(cat <<EOF
# This file is automatically generated by update-crypto-policies.
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
EOF
)"
