Closed bwbroersma closed 5 months ago
This was done by just picking a default config from https://ssl-config.mozilla.org/.
The current configuration: https://github.com/internetstandards/Internet.nl/blob/a469e4c151c1740d3f69e36235bc854b0099004a/docker/webserver/nginx_templates/app.conf.template#L138 compared with the current Mozilla intermediate config:
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
The only difference I see is DHE-RSA-CHACHA20-POLY1305
that is listed in the Mozilla config.
Closing this issue, all good ciphers with a proper support (see https://wiki.mozilla.org/Security/Server_Side_TLS) is ok.
In 'old' non docker config (still on batch) currently has:
While single (docker) test uses:
Was this TLS ciphers and preference change on purpose?
BTW since there is a different root CA + the docker is using Let's Encrypt EC P-256 and batch is using Sectigo RSA 4096, the client simulation cannot really be compared I think.