add a paragraph on cipher setting configuration

2024-09-03 20:06:26 +02:00 · 2019-03-03 17:57:40 +01:00 · 2019-03-03 17:57:40 +01:00 · e2b6b9cf6d
commit e2b6b9cf6d
parent ccb96a874a
1 changed files with 21 additions and 5 deletions
--- a/security.md
+++ b/security.md
@ -146,6 +146,22 @@ systemctl restart ssh
 ```
 ---

+### Change cipher compatibility configuration
+
+The default TLS configuration for services tend to offer a good compatibility to support old devices. You can tune this policy for specific services like SSH or NGINX. For NGINX you can choose to use what Mozilla call a 'modern' configuration. A modern configuration will be more secure but if you loose the connectivity from your devices it will be ueseless.
+Once you have changed a policy you can always revert the setting if that doesn't feet your environment.
+
+**On your server**, change the policy for NGINX
+```bash
+sudo yunohost settings set security.ciphers.compatibility -v modern
+```
+
+**On your server**, change the policy for SSH
+```bash
+sudo yunohost settings set service.ssh.ciphers.compatibility -v modern
+```
+
+
 ### Disable YunoHost API
 YunoHost administration is accessible through an **HTTP API**, served on the 6787 port by default. It can be used to administrate a lot of things on your server, so malicious actors can also use it to damage your server. The best thing to do, if you know how to use the [command-line interface](/commandline), is to deactivate the `yunohost-api` service.