The Mozilla SSL Configuration Generator is a tool which builds configuration files to help you follow the Mozilla Server Side TLS configuration guidelines.
$ npm installOnce you've installed, you can simply run:
$ npm run watchThis starts a local webserver that will automatically reload your changes.
There are two places that need to be updated in order to add support for a new piece of software:
src/js/configs.js, which sets the supported features for your software, andsrc/templates/partials/your-software.hbs, a Handlebars.js template that mirrors your software's configurationAll of the templates are written in Handlebars.js, and so therefore support all of its standard features. This includes if/else/unless conditionals and each loops, for example. In addition, the configuration generator supports the following helpers:
eq(item, value) - true if item equals valueincludes(item, stringOrArray) - true if stringOrArray contains itemjoin(array, joiner) - split a array into a string based on joiner
{{{join output.ciphers ":"}}}last(array) - returns the last item in the arrayminpatchver(minimumver, curver) - true if curver is greater than or equal to minimumver, and both versions are the same patch version, e.g. 2.2
{{#if (minpatchver "2.4.3" form.serverVersion)}}minver(minimumver, curver) - true if curver is greater than or equal to minver
{{#if (minver "1.9.5" form.serverVersion)}}replace(string, whattoreplace, replacement) - replaces whatToReplace with replacement
replace(protocol, "TLSv", "TLS ")reverse(array) - reverses the order of an array
{{#each (reverse output.protocols)}sameminorver(version, otherVersion) - returns true if version and otherVersion are of the same minor version, e.g. 2.2
{{#if (sameminorver "2.4.0" form.serverVersion)}}split(string, splitter) - split a string into an array based on splitter
{{#each (split somearray ":")}}Highlighted items from src/js/state.js for use in templates. See src/js/state.js for more.
form.serverName - Server Name
form.serverVersion - Server Version
form.opensslVersion - OpenSSL Version
form.config - configuration name ([ "modern" | "intermediate" | "old" ])
form.hsts - HTTP Strict Transport Security form checkbox (boolean true/false)
form.ocsp - OCSP Stapling form checkbox (boolean true/false)
output.header - description of rendered config (# {{output.header}})
output.link - URL to rendered config (# {{{output.link}}})
output.protocols - protocol list (e.g. zero or more of: "TLSv1" "TLSv1.1" "TLSv1.2" "TLSv1.3")
output.ciphers - cipher list ({{join output.ciphers ":"}})
output.cipherSuites - cipher suites list
output.serverPreferredOrder - enforce ServerPreference for ordering cipher list (boolean true/false)
output.hstsMaxAge - max-age (seconds) for Strict-Transport-Security: max-age=... HTTP response header
output.permanentRedirect - HTTP status code ([ 301 | 308 ]) to use for permanent redirect from http://site to https://site
output.latestVersion - server latest version
output.usesOpenssl - server uses openssl (boolean true/false)
output.usesDhe - server might use Diffie-Hellmann key exchange (boolean true/false)
output.dhCommand - command to generate Diffie-Hellman (DH) parameters
output.hasVersions - server config has versions (boolean true/false)
output.supportsConfigs - supports modern, intermediate, old configs (boolean true/false)
output.supportsHsts - supports HTTP Strict Transport Security (HSTS) (boolean true/false)
output.supportsOcspStapling - supports OCSP Stapling (boolean true/false)
output.tls13 - minimum server version supporting TLSv1.3
To publish to GitHub Pages, first generate new docs/ files by running
$ npm run buildThen commit the newly built docs/ files and push the commit to GitHub.
The Changelog that captures the history of changes to Mozilla's recommendations
as represented in the JSON guideline files can be found at /src/static/guidelines/CHANGELOG.md
The SSL Config Generator was kept in the mozilla/server-side-tls repository
prior to mid 2019 at which point it was moved to this dedicated repository. It
was initially created at the end of 2014
and started out supporting Apache HTTP, Nginx and HAProxy.