add the helper for schannel name in registry

README.md

@@ -34,16 +34,16 @@ Customize your security configuration using attributes.
 ## Attributes
 
 Attribute                                         | Default Value | Description
------------------------------------------------ - | ------------- | ------------------------------------------------------
+------------------------------------------------- | ------------- | ------------------------------------------------------
 `default['schannel']['event_logging']['level']`   | 1             | Is the URL of the package repository.
 `default['schannel']['cipher_order']['secure']`   | true          | Define the security level 
-`default['schannel']['protocols']['client-side']` | true          | Apply the protocol configuration at the client side.
+`default['schannel']['protocols_client_side']`    | true          | Apply the protocol configuration at the client side.
 
 Others available attributes are used to enable/disable a protocol, cipher, hash or exchange key algorithm.
 Please check `defaut.rb` attribute file for more details.
 
-You can also define your own list of ciphers.
-Please check `cipher.rb` attribute file for more details.
+You can also define your own list of ciphers via `default['schannel']['cipher_order']['list']` attribute.
+Please check `defaut.rb` attribute file for more details.
 
 ## Run list
 

attributes/default.rb

@@ -23,13 +23,8 @@
 # 4	Log informational and success events
 default['schannel']['event_logging']['level'] = 1
 
-# define the security cipher suite order
-# 0 default (depend of windows version: https://msdn.microsoft.com/fr-fr/library/windows/desktop/aa374757(v=vs.85).aspx
-# 1 secure (best practices defined in Nartac IIS Cryto: https://www.nartac.com/Products/IISCrypto)
-default['schannel']['cipher_order']['secure'] = true
-
 # Set the secure protocols at client side
-default['schannel']['protocols']['client-side'] = true
+default['schannel']['protocols_client_side'] = true
 
 # Protocols secure settings
 default['schannel']['protocols']['mupuh']['enable'] = false # Disable Multi-Protocol Unified Hello
@@ -65,3 +60,49 @@
 default['schannel']['keyexch']['diffiehellman']['enable'] = true # Enable Diffie-Hellman
 default['schannel']['keyexch']['pkcs']['enable']          = true # Enable PKCS
 default['schannel']['keyexch']['ecdh']['enable']          = true # Enable Diffie-Hellman
+
+# define the security cipher suite order
+# 0 default (depend of windows version: https://msdn.microsoft.com/fr-fr/library/windows/desktop/aa374757(v=vs.85).aspx
+# 1 secure (best practices defined in Nartac IIS Cryto: https://www.nartac.com/Products/IISCrypto)
+default['schannel']['cipher_order']['secure'] = true
+
+# This list is based on best practices defined in Nartac IIS Cryto:
+# Details at: https://www.nartac.com/Products/IISCrypto
+# You can use this default attribute to set your own cipher suite.
+default['schannel']['cipher_order']['list'] = %w(
+  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
+  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
+  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
+  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
+  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
+  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
+  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
+  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
+  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
+  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
+  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
+  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
+  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
+  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
+  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
+  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
+  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
+  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
+  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
+  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
+  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
+  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
+  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
+  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
+  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
+  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
+  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
+  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
+  TLS_RSA_WITH_AES_256_GCM_SHA384
+  TLS_RSA_WITH_AES_128_GCM_SHA256
+  TLS_RSA_WITH_AES_256_CBC_SHA256
+  TLS_RSA_WITH_AES_128_CBC_SHA256
+  TLS_RSA_WITH_AES_256_CBC_SHA
+  TLS_RSA_WITH_AES_128_CBC_SHA
+  TLS_RSA_WITH_3DES_EDE_CBC_SHA
+)

libraries/registry_helper.rb

@@ -0,0 +1,54 @@
+#
+# Author:: pdeprey (<[email protected]>)
+# Cookbook:: schannel
+# Library:: registry_helper
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# this library check the correct name of channel defined in windows registry.
+
+def registry_name(name)
+  case name
+  # protocols
+  when 'mupuh' then 'Multi-Protocol Unified Hello'
+  when 'pct10' then 'PCT 1.0'
+  when 'ssl30' then 'SSL 3.0'
+  when 'ssl20' then 'SSL 2.0'
+  when 'tls10' then 'TLS 1.0'
+  when 'tls11' then 'TLS 1.1'
+  when 'tls12' then 'TLS 1.2'
+  # ciphers
+  when 'aes_128128' then 'AES 128/128'
+  when 'aes_256256' then 'AES 256/256'
+  when '3des_168168' then 'Triple DES 168/168'
+  when 'rc2_40128' then 'RC2 40/128'
+  when 'rc2_56128' then 'RC2 56/128'
+  when 'rc2_128128' then 'RC2 128/128'
+  when 'rc4_40128' then 'RC4 40/128'
+  when 'rc4_56128' then 'RC4 56/128'
+  when 'rc4_64128' then 'RC4 64/128'
+  when 'rc4_128128' then 'RC4 128/128'
+  when 'des_5656' then 'DES 56/56'
+  when 'null' then 'NULL'
+  # hashes
+  when 'md5' then 'MD5'
+  when 'sha' then 'SHA'
+  when 'sha256' then 'SHA256'
+  when 'sha384' then 'SHA384'
+  when 'sha512' then 'SHA512'
+  # key exchange algorithms
+  when 'diffiehellman' then 'Diffie-Hellman'
+  when 'pkcs' then 'PKCS'
+  when 'ecdh' then 'ECDH'
+  end
+end

recipes/default.rb

@@ -26,7 +26,7 @@
 registry_key 'HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' do
   action     node['schannel']['cipher_order']['secure'] ? :create : :nothing
   recursive  true
-  values     [{ name: 'Functions', type: :string, data: node['schannel']['ciphers']['suites'].join(',') }]
+  values     [{ name: 'Functions', type: :string, data: node['schannel']['cipher_order']['list'].join(',') }]
 end
 
 # event logging set level of debugging
@@ -37,10 +37,10 @@
 end
 
 # enable/disable the schannel protocols
-sclist = node['schannel']['protocols']['client-side'] ? %w(Server Client) : %w(Server)
+sclist = node['schannel']['protocols_client_side'] ? %w(Server Client) : %w(Server)
 sclist.each do |sc|
   node['schannel']['protocols'].each do |pname, pval|
-    registry_key "#{regdir}\\Protocols\\#{pname}\\#{sc}" do
+    registry_key "#{regdir}\\Protocols\\#{registry_name(pname)}\\#{sc}" do
       action     :create
       recursive  true
       values [
@@ -53,7 +53,7 @@
 
 # enable/disable the schannel ciphers
 node['schannel']['ciphers'].each do |cname, cval|
-  registry_key "#{regdir}\\Ciphers\\#{cname}" do
+  registry_key "#{regdir}\\Ciphers\\#{registry_name(cname)}" do
     action     :create
     recursive  true
     values     [{ name: 'Enabled', type: :dword, data: cval['enable'] ? 4_294_967_295 : 0 }]
@@ -62,7 +62,7 @@
 
 # enable/disable the schannel hashes
 node['schannel']['hashes'].each do |hname, hval|
-  registry_key "#{regdir}\\Hashes\\#{hname}" do
+  registry_key "#{regdir}\\Hashes\\#{registry_name(hname)}" do
     action     :create
     recursive  true
     values     [{ name: 'Enabled', type: :dword, data: hval['enable'] ? 4_294_967_295 : 0 }]
@@ -71,7 +71,7 @@
 
 # enable/disable the schannel key exchange algorithms
 node['schannel']['keyexch'].each do |kname, kval|
-  registry_key "#{regdir}\\KeyExchangeAlgorithms\\#{kname}" do
+  registry_key "#{regdir}\\KeyExchangeAlgorithms\\#{registry_name(kname)}" do
     action     :create
     recursive  true
     values     [{ name: 'Enabled', type: :dword, data: kval['enable'] ? 4_294_967_295 : 0 }]