From e2b6b9cf6dd8711442c518cca4a96dab761c47bc Mon Sep 17 00:00:00 2001
From: Romuald du Song <romuald.dusong@deveryware.com>
Date: Sun, 3 Mar 2019 17:57:40 +0100
Subject: [PATCH 1/3] add a paragraph on cipher setting configuration

---
 security.md | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/security.md b/security.md
index e54e0236..24e7abf3 100644
--- a/security.md
+++ b/security.md
@@ -64,7 +64,7 @@ Port 22 # to replace by 9777 for example
 **Open the port** in firewall (you can use -6 option to limit forbid ipv4 connexion)
 ```bash
 yunohost firewall allow TCP 9777
-``` 
+```
 
 Save and restart SSH daemon. Switch over to the new port by restarting SSH.
 ```bash
@@ -75,7 +75,7 @@ Then restart the iptables firewall and close the old port in iptables.
 ```bash
 yunohost firewall reload
 yunohost firewall disallow <your_old_ssh_port_number> # port by default 22
-``` 
+```
 
 You also need to give fail2ban the new SSH port.
 
@@ -84,7 +84,7 @@ To do that you need to create the configuration file `my_ssh_port.conf` with the
 
 ```bash
 nano /etc/fail2ban/jail.d/my_ssh_port.conf
-``` 
+```
 
 and you can fill it with
 
@@ -100,7 +100,7 @@ Finally you have to restart fail2ban in order to apply the new configuration
 
 ```bash
 systemctl restart fail2ban.service
-``` 
+```
 
 **For the next SSH connections ** you need to add the `-p` option followed by the SSH port number.
 
@@ -108,7 +108,7 @@ systemctl restart fail2ban.service
 
 ```bash
 ssh -p <new_ssh_port_number> admin@<your_yunohost_server>
-``` 
+```
 
 ---
 
@@ -146,6 +146,22 @@ systemctl restart ssh
 ```
 ---
 
+### Change cipher compatibility configuration
+
+The default TLS configuration for services tend to offer a good compatibility to support old devices. You can tune this policy for specific services like SSH or NGINX. For NGINX you can choose to use what Mozilla call a 'modern' configuration. A modern configuration will be more secure but if you loose the connectivity from your devices it will be ueseless.
+Once you have changed a policy you can always revert the setting if that doesn't feet your environment.
+
+**On your server**, change the policy for NGINX
+```bash
+sudo yunohost settings set security.ciphers.compatibility -v modern
+```
+
+**On your server**, change the policy for SSH
+```bash
+sudo yunohost settings set service.ssh.ciphers.compatibility -v modern
+```
+
+
 ### Disable YunoHost API
 YunoHost administration is accessible through an **HTTP API**, served on the 6787 port by default. It can be used to administrate a lot of things on your server, so malicious actors can also use it to damage your server. The best thing to do, if you know how to use the [command-line interface](/commandline), is to deactivate the `yunohost-api` service.
 

From c260eb83e8eebd4ab85e1103eb3b6a52540d7c4e Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Sat, 23 Mar 2019 18:25:59 +0100
Subject: [PATCH 2/3] Update setting name + improve explanation about the
 settings

---
 security.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/security.md b/security.md
index 077222bf..6c4dbbe4 100644
--- a/security.md
+++ b/security.md
@@ -148,17 +148,18 @@ systemctl restart ssh
 
 ### Change cipher compatibility configuration
 
-The default TLS configuration for services tend to offer a good compatibility to support old devices. You can tune this policy for specific services like SSH or NGINX. For NGINX you can choose to use what Mozilla call a 'modern' configuration. A modern configuration will be more secure but if you loose the connectivity from your devices it will be ueseless.
-Once you have changed a policy you can always revert the setting if that doesn't feet your environment.
+The default TLS configuration for services tend to offer a good compatibility to support old devices. You can tune this policy for specific services like SSH and NGINX. By default, the NGINX configuration follows the [intermediate compatibility recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29) from Mozilla. You can choose to switch to the 'modern' configuration which uses more recent security recommendations, but decreases the compatibility, which may be an issue for your users and visitors using older devices. More details about the compatibility can be found on [this page](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility).
+
+Changing the compatibility level is not definitive and can be reverted if it doesn't feet your environment.
 
 **On your server**, change the policy for NGINX
 ```bash
-sudo yunohost settings set security.ciphers.compatibility -v modern
+sudo yunohost settings set security.nginx.compatibility -v modern
 ```
 
 **On your server**, change the policy for SSH
 ```bash
-sudo yunohost settings set service.ssh.ciphers.compatibility -v modern
+sudo yunohost settings set service.ssh.compatibility -v modern
 ```
 
 ### Disable YunoHost API

From 2731b6a1fb58ae292643ef1acbba32b6427ec768 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Sat, 23 Mar 2019 18:30:34 +0100
Subject: [PATCH 3/3] Add french translation

---
 security_fr.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/security_fr.md b/security_fr.md
index e48b8233..ff3ba946 100644
--- a/security_fr.md
+++ b/security_fr.md
@@ -160,6 +160,22 @@ systemctl restart ssh
 
 ---
 
+### Durcir la sécurité de la configuration des services
+
+La configuration TLS par défaut des services tend à offrir une bonne compatibilité avec les vieux appareils. Vous pouvez régler cette politique pour les services SSH et NGINX. Par défaut, la configuration du NGINX suit la [recommandation de compatibilité intermédiaire] (https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29) de Mozilla. Vous pouvez choisir de passer à la configuration "moderne" qui utilise des recommandations de sécurité plus récentes, mais qui diminue la compatibilité, ce qui peut poser un problème pour vos utilisateurs et visiteurs qui utilisent de vieux appareils. Plus de détails peuvent être trouvés sur [cette page](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility).
+
+Changer le niveau de compatibilité n'est pas définitif et il est possible de rechanger le paramètre si vous concluez qu'il faille revenir en arrière.
+
+**Sur votre serveur**, modifiez la politique pour NGINX :
+```bash
+sudo yunohost settings set security.nginx.compatibility -v modern
+```
+
+**Sur votre serveur**, modifiez la politique pour SSH :
+```bash
+sudo yunohost settings set service.ssh.compatibility -v modern
+```
+
 ### Désactivation de l’API YunoHost
 
 YunoHost est administrable via une **API HTTP**, servie sur le port 6787 par défaut (seulement sur `localhost`). Elle permet d’administrer une grande partie de votre serveur, et peut donc être utilisée à des **fins malveillantes**. La meilleure chose à faire si vous êtes habitués aux lignes de commande est de désactiver le service `yunohost-api`, et **utiliser la [ligne de commande](/commandline_fr)** en SSH.