Merge branch 'release/v1.28.0-3'

Author: jelemux

CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v1.28.0-3] - 2025-11-25
+### Fixed
+- [#130] TLS 1.3 Ciphers require a different configuration key in ssl.conf
+  - use only Ciphers that are marked as "MUST" per RFC 8446 to fulfill the TLS 1.3 Standard
+
 ## [v1.28.0-2] - 2025-06-17
 ### Fixed
 - [#127] Include default configuration for ces-exporter access in maintenance mode

Dockerfile

@@ -2,7 +2,7 @@ FROM node:lts-alpine as templating
 
 ENV WORKDIR=/template \
     # Used in template to invalidate caches - do not remove. The release script will auto update this line
-    VERSION="1.28.0-2"
+    VERSION="1.28.0-3"
 
 RUN mkdir -p ${WORKDIR}
 WORKDIR ${WORKDIR}
@@ -68,11 +68,11 @@ RUN wget --progress=bar:force:noscroll -O /tmp/warp.zip https://github.com/cloud
 FROM registry.cloudogu.com/official/base:3.22.0-2
 LABEL maintainer="hello@cloudogu.com" \
       NAME="official/nginx" \
-      VERSION="1.28.0-2"
+      VERSION="1.28.0-3"
 
 ENV CES_MAINTENANCE_MODE=false \
     # Used in template to invalidate caches - do not remove. The release script will auto update this line
-    VERSION="1.28.0-2"
+    VERSION="1.28.0-3"
 
 RUN set -x -o errexit \
  && set -o nounset \

docs/gui/release_notes_de.md

@@ -6,6 +6,10 @@ Technische Details zu einem Release finden Sie im zugehörigen [Changelog](https
 
 ## [Unreleased]
 
+## [v1.28.0-3] - 2025-11-25
+- Nginx unterstützt TLS v1.3
+- Für TLS v1.2 und v1.3 werden nur Ciphers benutzt die mit den BSI-Richtlinien kompatibel sind
+
 ## [v1.28.0-2] - 2025-06-17
 - Wir haben nur technische Änderungen vorgenommen. Näheres finden Sie in den Changelogs.
 

docs/gui/release_notes_en.md

@@ -6,6 +6,10 @@ Technical details on a release can be found in the corresponding [Changelog](htt
 
 ## [Unreleased]
 
+## [v1.28.0-3] - 2025-11-25
+- Nginx supports TLS v1.3
+- For TLS v1.2 and v1.3 only ciphers that are recommended by the BSI Guidelines are used
+
 ## [v1.28.0-2] - 2025-06-17
 - We have only made technical changes. You can find more details in the changelogs.
 

dogu.json

@@ -1,6 +1,6 @@
 {
   "Name": "official/nginx",
-  "Version": "1.28.0-2",
+  "Version": "1.28.0-3",
   "DisplayName": "Nginx",
   "Description": "Nginx WebServer.",
   "Logo": "https://cloudogu.com/images/dogus/nginx.png",

resources/etc/nginx/include.d/ssl.conf.tpl

@@ -9,5 +9,6 @@ ssl_session_cache shared:SSL:50m;
 ssl_session_timeout 5m;
 
 ssl_protocols             TLSv1.2 TLSv1.3;
-ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256";
+ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384;
 ssl_prefer_server_ciphers on;