Unable to disable TLSv1, TLSv1.1 & unsafe ciphers.

[pleunv]

Describe the issue

I'm unable to disable unsafe SSL protocols & ciphers with the https config, while this should be working out of the box.

I already tried

Hi there! I'm trying to set up Weblate in conjunction with https-portal for the automated certs. At the same time I need to disable TLSv1, TLSv1.1 and certain unsafe ciphers due to compliance reqs, so basically the equivalent of an Intermediate SSL config as detailed here. Luckily https-portal should be restrictive by default (and enable TLSv1.3 as of v1.7.0). However, after spinning up a docker-compose-https and running an SSL Labs scan I'm still seeing TLSv1, TLSv1.1 as active, and TLSv1.3 as unsupported.

I've tried all sorts of config changes in the https-portal container and honestly I'm at a loss at what the cause could be. When inspecting the Weblate container I can see that it's running the ~default nginx config which enables TLSv1, TLSv1.1 and TLSv1.2 (same as the SSL Labs report) but as far as I understand this should not be relevant in the reverse proxy setup. Would anyone be able to shed more light on this?

Additionally, perhaps it would make sense to disable these by default in Weblate, as TLSv1 and TLSv1.1 are considered insecure and EOL.

To Reproduce the issue

Steps to reproduce the behavior:

1. Run a sudo docker-compose -f docker-compose-https.yml -f docker-compose-https.override.yml up -d
2. Go to SSL Labs and run a test on the spun up instance
3. Scroll down to the supported protocols
4. See TLSv1 & TLSv1.1 in the list

[github-actions[bot]]

This issue looks more like a support question than an issue. We strive to answer these reasonably fast, but purchasing the support subscription is not only more responsible and faster for your business but also makes Weblate stronger. In case your question is already answered, making a donation is the right way to say thank you!

[nijel]

This is really something to be discussed at https-portal and I see you've already asked there - https://github.com/SteveLTN/https-portal/issues/188

[pleunv]

Thanks for the response! I figured, but seeing as the default docker image spins up an nginx server too (if I'm not mistaken) I figured perhaps it was relevant here as well, seeing as TLSv1 and TLSv1.1 are considered a security issue these days. Although, probably better suited in the WeblateOrg/docker repo then :).

The underlying issue with https-portal has been solved in the meantime, by the way.

[nijel]

Good point, I will look into that.

[github-actions[bot]]

The issue you have reported is resolved now. If you don’t feel it’s right, please follow it’s labels to get a clue and take further steps.

• In case you see a similar problem, please open a separate issue.
• If you are happy with the outcome, don’t hesitate to support Weblate by making a donation.