Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve docs, links and references #255

Draft
wants to merge 8 commits into
base: master
Choose a base branch
from

Conversation

janbrasna
Copy link
Collaborator

@janbrasna janbrasna commented Oct 10, 2024

readme:

https://github.com/janbrasna/ssl-config-generator/tree/upd/docs-refs-links#readme

manifest:

  • update links
  • add default script alias

header:

footer:

https://develop--mozsslconf-dev.netlify.app/

@janbrasna janbrasna added enhancement New feature or request documentation Write down all the things usability Affordance, experience & UI woes labels Oct 10, 2024
Copy link
Collaborator

@gstrauss gstrauss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

initial review of draft (work in progress)

Comment on lines +84 to +85
- `form.serverVersion` - desired server version
- `form.opensslVersion` - desired OpenSSL version
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"desired"? I am not sure that describes "generate config to work with this version" (if version is recognized)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes please do challenge any awkward language you come across. Thanks!

I wanted to make a clear difference between options read from configs as compared to values entered by the visitor through the UI at the time of every render.

Do you have any idea for a reasonably brief wording? Something equivalent to "… version requested by the user" perhaps?

PS: "config to work with this version" is not exactly achieved yet, as the value entered might be artificially high or unreasonably low… but it's the value passed from the user nonetheless.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"user's server version"? "your server version"? "input server version"? "user-selected server version"? "user-specified server version"? I lean towards one of the last two.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'll go with "requested", as we don't know if it's actually "entered", "selected" or "specified" by the user as their version at all, as it may just come from the default value being pre-populated by configs settings on load; guess I'll be as neutral as possible.

README.md Show resolved Hide resolved
Comment on lines +73 to +74
- `{{#each (reverse output.protocols)}}`
- `sameminorver(version another)` - returns `true` if `version` and `another` are of the same minor version, e.g. `2.4`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"anotherVersion"? "versionA" "versionB"?

- `last(array)` - returns the last item in the array
- `minpatchver(minimumver, curver)` - `true` if `curver` is greater than or equal to `minimumver`, and both versions are the same patch version, e.g. `2.2`
- `minpatchver(minimum current)` - only `true` if `current` version is greater than or equal to `minimum`, and both are of the same minor version, e.g. `2.4.x` (won't match any higher `2.5.x` or `3.x`)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"true only if"

# Mozilla SSL Configuration Generator

The Mozilla SSL Configuration Generator is a tool which builds configuration files to help you follow the Mozilla [Server Side TLS](https://wiki.mozilla.org/Security/Server_Side_TLS) configuration guidelines.
The Mozilla SSL Configuration Generator is a tool which builds configuration files to help you follow the Mozilla [Server Side TLS](https://wiki.mozilla.org/Security/Server_Side_TLS) recommendations.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not quite comfortable with "recommending" anything in the "Old" config. Maybe suggested configuration to support user-selected configuration guideline?


## JSON guidelines

Each revision of the Mozilla Server Side TLS guidelines is published in a machine-readable format from this repository as a [JSON specification](/src/static/guidelines/) that can be found at [`/src/static/guidelines/`](/src/static/guidelines/) 📟
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

redundant link? I suggest removing hyperlink for "JSON specification" and leaving the rest as-is.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was kinda on purpose as I want the link for the specs listed and titled as such in the outline (think a11y), but at the same time have the following path clickable.

I think I will work around this by linking the first occurrence to the actual deployed latest.json symlink to hint what's the public/canonical location of those specs outside of this repo source.


## Contributing

The project is written in JavaScript, uses Webpack for development and production builds, and most of the templating logic to turn the recommendations into the various server configs is done in Handlebars.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"..., and uses Handlebars for most of the templating logic ..." and remove "is done in Handlerbars." from the end.

@gstrauss
Copy link
Collaborator

Aside: what level of details would you like to include in CHANGELOG.md? User-facing changes are relevant. Version bumps are less important unless related to a user-facing change, such as adding TLSv1.3 support. Internal changes are also less important and can be summarized or omitted, IMO.

- `output.cipherSuites` - TLSv1.3+ cipher suites list
- `output.serverPreferredOrder` - enforce ServerPreference for ordering cipher list (boolean true/false)
- `output.hstsMaxAge` - max-age (seconds) for Strict-Transport-Security: max-age=... HTTP response header
- `output.latestVersion` - server latest version
- `output.usesOpenssl` - server uses openssl (boolean true/false)
- `output.usesDhe` - server might use Diffie-Hellmann key exchange (boolean true/false)
- `output.usesDhe` - config includes Diffie-Hellmann key exchange (boolean true/false)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we specify "config includes ciphers employing non-ECDHE Diffie-Hellmann key exchange"?

This comment was marked as outdated.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBD: this actually only applies to ≤TLS1.2 currently (or, more precisely for Kx=DH specifically and not Kx=Any in general when including FFDHE too) so I'll need to revisit this once we decide on limiting ffdhe* groups in TLS1.3…

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: also document dhParamSize proper that's not mentioned in the docs.

@gstrauss
Copy link
Collaborator

Parts of this PR have unfortunately gone stale, e.g.docs/ has been removed, and so has use of Handlebars.

I plan to pick the changes to package.json and src/templates/index.ejs from this PR.

Please rebase the rest and resolve conflicts.
Please update the pic included at the top of README.md to be a current snapshot of the initial page with Getting Started.
Also, please update README.md: I plan to soon migrate to use Node v22 instead of Node v20 in production.

Why add so many new entries to .gitignore? Following the instructions in README.md does not produce that detritus, and git clean -fdx ((!) use with caution (!)) can clean a repository of all untracked files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Write down all the things enhancement New feature or request usability Affordance, experience & UI woes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Document best way for users to get notifications about new guideline versions Add support for OpenSSL 3.0.0
2 participants