Closed obsti8383 closed 11 months ago
Hi,
due to security reasons TLS 1.0 and 1.1 should be disabled. Has anybody experience tightening up the TLS configuration for snikket a bit?
For my instance of snikket I configured the following settings:
Configuration right now is:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
Works fine at least with the limited set of clients and other servers I use and gives an "A" rating with SSLLabs, too.
If you don't see any issues I could prepare a pull request for that.
Florian
:+1: I've just updated to Mozilla's recommended "intermediate profile" settings in preparation for the release coming soon.
Hi,
due to security reasons TLS 1.0 and 1.1 should be disabled. Has anybody experience tightening up the TLS configuration for snikket a bit?
For my instance of snikket I configured the following settings:
Configuration right now is:
Works fine at least with the limited set of clients and other servers I use and gives an "A" rating with SSLLabs, too.
If you don't see any issues I could prepare a pull request for that.
Florian