s/SSL/TLS/ in user-visible text throughout the project

4b4f670a · Joshua Tauberer · b1b57f9b · 4b4f670a · 4b4f670a · 4b4f670a
Commit 4b4f670a authored Jan 02, 2016 by Joshua Tauberer
6 changed files
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
 ## $HOSTNAME

-# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt SSL certificate
+# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt TLS certificate
 # domain validation challenges) path, which must be served over HTTP per the ACME spec
 # (due to some Apache vulnerability).
 server {
@@ -23,7 +23,7 @@ server {

 	location /.well-known/acme-challenge/ {
 		# This path must be served over HTTP for ACME domain validation.
-		# We map this to a special path where our SSL cert provisioning
+		# We map this to a special path where our TLS cert provisioning
 		# tool knows to store challenge response files.
 		alias $STORAGE_ROOT/ssl/lets_encrypt/acme_challenges/;
 	}

--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -663,7 +663,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring
 			return ("The certificate is missing an intermediate chain or the intermediate chain is incorrect or incomplete. (%s)" % verifyoutput, None)

 		# There is some unknown problem. Return the `openssl verify` raw output.
-		return ("There is a problem with the SSL certificate.", verifyoutput.strip())
+		return ("There is a problem with the certificate.", verifyoutput.strip())

 	else:
 		# `openssl verify` returned a zero exit status so the cert is currently

--- a/management/status_checks.py
+++ b/management/status_checks.py
 #!/usr/bin/python3
 #
 # Checks that the upstream DNS has been set correctly and that
-# SSL certificates have been signed, etc., and if not tells the user
+# TLS certificates have been signed, etc., and if not tells the user
 # what to do next.

 import sys, os, os.path, re, subprocess, datetime, multiprocessing.pool
@@ -609,7 +609,7 @@ def check_web_domain(domain, rounded_time, ssl_certificates, env, output):
 				webmail or a website on this domain. The domain currently resolves to %s in public DNS. It may take several hours for
 				public DNS to update after a change. This problem may result from other issues listed here.""" % (env['PUBLIC_IP'], ip))

-	# We need a SSL certificate for PRIMARY_HOSTNAME because that's where the
+	# We need a TLS certificate for PRIMARY_HOSTNAME because that's where the
 	# user will log in with IMAP or webmail. Any other domain we serve a
 	# website for also needs a signed certificate.
 	check_ssl_cert(domain, rounded_time, ssl_certificates, env, output)
@@ -651,18 +651,18 @@ def query_dns(qname, rtype, nxdomain='[Not Set]', at=None):
 	return "; ".join(sorted(str(r).rstrip('.') for r in response))

 def check_ssl_cert(domain, rounded_time, ssl_certificates, env, output):
-	# Check that SSL certificate is signed.
+	# Check that TLS certificate is signed.

 	# Skip the check if the A record is not pointed here.
 	if query_dns(domain, "A", None) not in (env['PUBLIC_IP'], None): return

-	# Where is the SSL stored?
+	# Where is the certificate file stored?
 	tls_cert = get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=True)
 	if tls_cert is None:
-		output.print_warning("""No SSL certificate is installed for this domain. Visitors to a website on
+		output.print_warning("""No TLS (SSL) certificate is installed for this domain. Visitors to a website on
 			this domain will get a security warning. If you are not serving a website on this domain, you do
-			not need to take any action. Use the SSL Certificates page in the control panel to install a
-			SSL certificate.""")
+			not need to take any action. Use the TLS Certificates page in the control panel to install a
+			TLS certificate.""")
 		return

 	# Check that the certificate is good.
@@ -671,19 +671,19 @@ def check_ssl_cert(domain, rounded_time, ssl_certificates, env, output):

 	if cert_status == "OK":
 		# The certificate is ok. The details has expiry info.
-		output.print_ok("SSL certificate is signed & valid. " + cert_status_details)
+		output.print_ok("TLS (SSL) certificate is signed & valid. " + cert_status_details)

 	elif cert_status == "SELF-SIGNED":
 		# Offer instructions for purchasing a signed certificate.
 		if domain == env['PRIMARY_HOSTNAME']:
-			output.print_error("""The SSL certificate for this domain is currently self-signed. You will get a security
+			output.print_error("""The TLS (SSL) certificate for this domain is currently self-signed. You will get a security
 			warning when you check or send email and when visiting this domain in a web browser (for webmail or
 			static site hosting).""")
 		else:
-			output.print_error("""The SSL certificate for this domain is self-signed.""")
+			output.print_error("""The TLS (SSL) certificate for this domain is self-signed.""")

 	else:
-		output.print_error("The SSL certificate has a problem: " + cert_status)
+		output.print_error("The TLS (SSL) certificate has a problem: " + cert_status)
 		if cert_status_details:
 			output.print_line("")
 			output.print_line(cert_status_details)

--- a/management/templates/index.html
+++ b/management/templates/index.html
@@ -87,7 +87,7 @@
              <a href="#" class="dropdown-toggle" data-toggle="dropdown">System <b class="caret"></b></a>
              <ul class="dropdown-menu">
                <li><a href="#system_status" onclick="return show_panel(this);">Status Checks</a></li>
-                <li><a href="#ssl" onclick="return show_panel(this);">SSL Certificates</a></li>
+                <li><a href="#tls" onclick="return show_panel(this);">TLS (SSL) Certificates</a></li>
                <li><a href="#system_backup" onclick="return show_panel(this);">Backup Status</a></li>
                <li class="divider"></li>
                <li class="dropdown-header">Advanced Pages</li>
@@ -155,7 +155,7 @@
      {% include "web.html" %}
      </div>

-      <div id="panel_ssl" class="admin_panel">
+      <div id="panel_tls" class="admin_panel">
      {% include "ssl.html" %}
      </div>


--- a/management/templates/ssl.html
+++ b/management/templates/ssl.html
 <style>
 </style>

-<h2>SSL Certificates</h2>
+<h2>TLS (SSL) Certificates</h2>

 <h3>Certificate Status</h3>

@@ -20,15 +20,15 @@

 <p>A multi-domain or wildcard certificate will be automatically applied to any domains it is valid for.</p>

-<h3 id="ssl_install_header">Install SSL Certificate</h3>
+<h3 id="ssl_install_header">Install Certificate</h3>

-<p>There are many places where you can get a free or cheap SSL certificate. We recommend <a href="https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx">Namecheap&rsquo;s $9 certificate</a>, <a href="https://www.startssl.com/">StartSSL&rsquo;s free express lane</a> or <a href="https://buy.wosign.com/free/">WoSign&rsquo;s free SSL</a></a>.</p>
+<p>There are many places where you can get a free or cheap certificate. We recommend <a href="https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx">Namecheap&rsquo;s $9 certificate</a>, <a href="https://www.startssl.com/">StartSSL&rsquo;s free express lane</a> or <a href="https://buy.wosign.com/free/">WoSign&rsquo;s free TLS</a></a>.</p>

-<p>Which domain are you getting an SSL certificate for?</p>
+<p>Which domain are you getting a certificate for?</p>

 <p><select id="ssldomain" onchange="show_csr()" class="form-control" style="width: auto"></select></p>

-<p>What country are you in? This is required by some SSL certificate providers. You may leave this blank if you know your SSL certificate provider doesn't require it.</p>
+<p>What country are you in? This is required by some TLS certificate providers. You may leave this blank if you know your TLS certificate provider doesn't require it.</p>

 <p><select id="sslcc" onchange="show_csr()" class="form-control" style="width: auto">
 	<option value="">(Select)</option>
@@ -38,18 +38,18 @@
 </select></p>

 <div id="csr_info" style="display: none">
-  <p>You will need to provide the SSL certificate provider this Certificate Signing Request (CSR):</p>
+  <p>You will need to provide the certificate provider this Certificate Signing Request (CSR):</p>

  <pre id="ssl_csr"></pre>

  <p><small>The CSR is safe to share. It can only be used in combination with a secret key stored on this machine.</small></p>

-  <p>The SSL certificate provider will then provide you with an SSL certificate. They may also provide you with an intermediate chain. Paste each separately into the boxes below:</p>
+  <p>The certificate provider will then provide you with a TLS/SSL certificate. They may also provide you with an intermediate chain. Paste each separately into the boxes below:</p>

-  <p style="margin-bottom: .5em">SSL certificate:</p>
+  <p style="margin-bottom: .5em">TLS/SSL certificate:</p>
  <p><textarea id="ssl_paste_cert" class="form-control" style="max-width: 40em; height: 8em" placeholder="-----BEGIN CERTIFICATE-----&#xA;stuff here&#xA;-----END CERTIFICATE-----"></textarea></p>

-  <p style="margin-bottom: .5em">SSL intermediate chain (if provided):</p>
+  <p style="margin-bottom: .5em">TLS/SSL intermediate chain (if provided):</p>
  <p><textarea id="ssl_paste_chain" class="form-control" style="max-width: 40em; height: 8em" placeholder="-----BEGIN CERTIFICATE-----&#xA;stuff here&#xA;-----END CERTIFICATE-----&#xA;-----BEGIN CERTIFICATE-----&#xA;more stuff here&#xA;-----END CERTIFICATE-----"></textarea></p>

  <p>After you paste in the information, click the install button.</p>
@@ -58,7 +58,7 @@
 </div>

 <script>
-function show_ssl() {
+function show_tls() {
 api(
    "/web/domains",
    "GET",
@@ -122,9 +122,9 @@ function install_cert() {
    function(status) {
      if (/^OK($|\n)/.test(status)) {
        console.log(status)
-        show_modal_error("SSL Certificate Installation", "Certificate has been installed. Check that you have no connection problems to the domain.", function() { show_ssl(); $('#csr_info').slideUp(); });
+        show_modal_error("TLS Certificate Installation", "Certificate has been installed. Check that you have no connection problems to the domain.", function() { show_ssl(); $('#csr_info').slideUp(); });
      } else {
-        show_modal_error("SSL Certificate Installation", status);
+        show_modal_error("TLS Certificate Installation", status);
      }
    });
 }

--- a/security.md
+++ b/security.md
@@ -38,7 +38,7 @@ These services are protected by [TLS](https://en.wikipedia.org/wiki/Transport_La

 The services all follow these rules:

-* SSL certificates are generated with 2048-bit RSA keys and SHA-256 fingerprints. The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one. ([source](setup/ssl.sh))
+* TLS certificates are generated with 2048-bit RSA keys and SHA-256 fingerprints. The box provides a self-signed certificate by default. The [setup guide](https://mailinabox.email/guide.html) explains how to verify the certificate fingerprint on first login. Users are encouraged to replace the certificate with a proper CA-signed one. ([source](setup/ssl.sh))
 * Only TLSv1, TLSv1.1 and TLSv1.2 are offered (the older SSL protocols are not offered).
 * Export-grade ciphers, the anonymous DH/ECDH algorithms (aNULL), and clear-text ciphers (eNULL) are not offered.
 * The minimum cipher key length offered is 112 bits. The maximum is 256 bits. Diffie-Hellman ciphers use a 2048-bit key for forward secrecy.