Implement changes of ssl protocol and ciphers

pwalczysko · Nov 20, 2024 · ef36d3c · ef36d3c
1 parent 2c28f48
commit ef36d3c
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/playbooks/templates/nginx-confdnestedincludes-ssl-conf.j2 b/playbooks/templates/nginx-confdnestedincludes-ssl-conf.j2
@@ -5,8 +5,8 @@ ssl_certificate {{ ssl_certificate_bundled_path }};
 ssl_certificate_key {{ ssl_certificate_key_path }};
 
 # use default ssl_protocols and ssl_ciphers:
-# ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-# ssl_ciphers         HIGH:!aNULL:!MD5;
+# ssl_protocols  TLSv1.2 TLSv1.3;  # don't use SSLv3 ref: POODLE
+# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 # http://nginx.org/en/docs/http/configuring_https_servers.html
 ssl_prefer_server_ciphers on;
 

diff --git a/playbooks/templates/nginx-omero.conf.j2 b/playbooks/templates/nginx-omero.conf.j2
@@ -9,7 +9,8 @@ server {
 
     ssl_certificate {{ ssl_certificate_bundled_path }};
     ssl_certificate_key {{ ssl_certificate_key_path }};
-    ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols  TLSv1.2 TLSv1.3;  # don't use SSLv3 ref: POODLE
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 
     if ($ssl_protocol = "") {
         rewrite ^/(.*) https://$host/$1 permanent;