From 087cdb961c0c2dc550fd79dab20a6983a8a1b3e7 Mon Sep 17 00:00:00 2001 From: Laurent Peuch Date: Sat, 25 Feb 2017 22:04:49 +0100 Subject: [PATCH 1/3] [enh] upgrade ciphers suit to more secure ones --- data/templates/nginx/server.tpl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 854ff3faf..45961633f 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -26,7 +26,7 @@ server { ssl_session_cache shared:SSL:50m; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; add_header Strict-Transport-Security "max-age=31536000;"; From f851817bbf3c94cca638dd9b849bfb23080cad46 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 12 Mar 2017 20:58:45 -0400 Subject: [PATCH 2/3] Updating ciphers with recommendation from mozilla with modern compatibility --- data/templates/nginx/server.tpl.conf | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 45961633f..8466eeef3 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -24,16 +24,15 @@ server { ssl_certificate_key /etc/yunohost/certs/{{ domain }}/key.pem; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; + + # Ciphers with modern configuration + # Source : https://mozilla.github.io/server-side-tls/ssl-config-generator/ + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; add_header Strict-Transport-Security "max-age=31536000;"; - # Uncomment the following directive after DH generation - # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 - #ssl_dhparam /etc/ssl/private/dh2048.pem; - access_by_lua_file /usr/share/ssowat/access.lua; include conf.d/{{ domain }}.d/*.conf; From 8cba71b51444c3119c6b9771e2a6eee9b389a1fa Mon Sep 17 00:00:00 2001 From: ljf Date: Mon, 20 Mar 2017 00:45:33 +0100 Subject: [PATCH 3/3] [fix] Apply cipher suite into webadmin nginx conf --- data/templates/nginx/plain/yunohost_admin.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/data/templates/nginx/plain/yunohost_admin.conf b/data/templates/nginx/plain/yunohost_admin.conf index bcd99493b..57abac7ee 100644 --- a/data/templates/nginx/plain/yunohost_admin.conf +++ b/data/templates/nginx/plain/yunohost_admin.conf @@ -19,9 +19,12 @@ server { ssl_certificate_key /etc/yunohost/certs/yunohost.org/key.pem; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; + + # Ciphers with modern configuration + # Source : https://mozilla.github.io/server-side-tls/ssl-config-generator/ + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM; add_header Strict-Transport-Security "max-age=31536000;";