Open davidben opened 1 year ago
@christhompson
So landing this will be blocked on me completing the server upgrade after all.
Oof. In the likely event the upgrade makes it impossible to sign MD5, that's no big deal. I don't think any browser supports that anyway. I just added it for completeness.
Clearly we should fork the Go TLS stack and write a custom TLS terminator to sit in front of NGINX... :-)
These correspond to the configurations deprecated by RFC 9155. I've marked MD5 as "bad" because it really should have been out of clients by now. I've marked SHA-1 as "dubious" for now because it's analogous to TLS 1.0/1.1, and clients still support it for now (but hopefully not for much longer).
(I just copied the existing configuration for the cipher suite pages. Not positive if I've done it right.)