Closed DarkCoocky closed 4 years ago
cyberb
commented
4 years ago Device UI: https://github.com/syncloud/platform/blob/master/config/nginx/public.conf#L88 Apps: https://github.com/syncloud/platform/blob/master/config/nginx/public.conf#L121
Probably we should disable for everyone, could you create a pull request if you know nginx?
To test changes on the device you can change this file: /var/snap/platform/common/config.runtime/nginx/nginx.conf
DarkCoocky
commented
4 years ago I don't know nginx, but I suppose that, If i edit this file i'll have to restart the service. Can I have the command to restart the service if that's required? Because I'm not sure to find the good one in Google ^^'
I'll test it at home and then create the request.
By the way maybe we should also enable TLS 1.3 ? If the nginx version is 1.13 or above according to Google.
cyberb
commented
4 years ago Can I have the command to restart the service if that's required
snap restart platform.nginx-publicBy the way maybe we should also enable TLS 1.3 ? If the nginx version is 1.13 or above according to Google.
Nginx is 1.15.12 (https://github.com/syncloud/3rdparty/blob/master/nginx/build.sh#L16)
DarkCoocky
commented
4 years ago So I've disabled TLS 1.0 and 1.1. But i still don't have TLS 1.3 according to SSL Labs.
I also modified the cipher suite configuration in order to increase the safety. https://github.com/syncloud/platform/blob/7ffaff505953dff20ab23812b10c33eb983a5965/config/nginx/public.conf#L89
These two lines have been modified in order to have this :
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
I'll create the request now
I'd like to know if there's a way to disable TLS 1.0 and 1.1 on the entire server (including it's web interface and it's apps).