# A level that will ensure maximum compatibility with legacy systems.
# It should provide at least 64-bit security and include RC4 and MD5 (for HMAC).

# MACs: MD5, SHA1+
# Curves: All supported
# Signature algorithms: must use SHA-1 hash or better
# (Note: signature algorithms restrictions shouldn't apply to self-signatures)
# Ciphers: AES-GCM, AES-CCM, AES-CBC, CAMELLIA-GCM, CAMELLIA-CBC, 3DES-CBC, RC4
# Key exchange: ECDHE, RSA, DHE
# DH params size: 767+
# RSA params size: 767+
# Protocols: All supported (SSL3.0+)

CONFIG_GNUTLS="$(cat <<EOF
SYSTEM=NONE:+VERS-TLS-ALL:+MAC-ALL:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:\
+AES-128-GCM:+AES-128-CCM:+AES-128-CBC:+CAMELLIA-128-GCM:+CAMELLIA-128-CBC:\
+AES-256-GCM:+AES-256-CCM:+AES-256-CBC:+CAMELLIA-256-GCM:+CAMELLIA-256-CBC:\
+3DES-CBC:+ARCFOUR-128:\
+SIGN-ALL:-SIGN-RSA-MD5:\
+CURVE-ALL:+COMP-NULL:%PROFILE_VERY_WEAK
EOF
)"

CONFIG_OPENSSL="$(cat <<EOF
!SSLv2:kEECDH:kRSA:kEDH:kPSK:\
+CAMELLIA128:+AES256:+CAMELLIA256:+3DES:+RC4:\
!aNULL:!eNULL:!EXP:!SEED:!IDEA:!DES
EOF
)"


# Configuration for Bind
CONFIG_BIND="$(cat <<EOF
disable-algorithms "."  {
RSAMD5;
};
EOF
)"

# Configuration for Java
CONFIG_JAVA="$(cat <<EOF
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 767
jdk.tls.disabledAlgorithms=SSLv2, DH keySize < 767, K_NULL, \
 C_NULL, M_NULL, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
 DH_RSA_EXPORT, RSA_EXPORT, DH_anon, ECDH_anon, RC4_40, DES_CBC, \
 DES40_CBC, RC2
jdk.tls.legacyAlgorithms= RC4_128
EOF
)"

# Configuration for libkrb5
CONFIG_KRB5="$(cat <<EOF
# This file is automatically generated by update-crypto-policies.
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4
EOF
)"
