From ef36d3c37420e7b8165069ad1db1a9e2ff996390 Mon Sep 17 00:00:00 2001
From: pwalczysko <p.walczysko@dundee.ac.uk>
Date: Wed, 20 Nov 2024 18:59:20 +0000
Subject: [PATCH] Implement changes of ssl protocol and ciphers

---
 playbooks/templates/nginx-confdnestedincludes-ssl-conf.j2 | 4 ++--
 playbooks/templates/nginx-omero.conf.j2                   | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/playbooks/templates/nginx-confdnestedincludes-ssl-conf.j2 b/playbooks/templates/nginx-confdnestedincludes-ssl-conf.j2
index 2edd2564..cc323a39 100644
--- a/playbooks/templates/nginx-confdnestedincludes-ssl-conf.j2
+++ b/playbooks/templates/nginx-confdnestedincludes-ssl-conf.j2
@@ -5,8 +5,8 @@ ssl_certificate {{ ssl_certificate_bundled_path }};
 ssl_certificate_key {{ ssl_certificate_key_path }};
 
 # use default ssl_protocols and ssl_ciphers:
-# ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-# ssl_ciphers         HIGH:!aNULL:!MD5;
+# ssl_protocols  TLSv1.2 TLSv1.3;  # don't use SSLv3 ref: POODLE
+# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 # http://nginx.org/en/docs/http/configuring_https_servers.html
 ssl_prefer_server_ciphers on;
 
diff --git a/playbooks/templates/nginx-omero.conf.j2 b/playbooks/templates/nginx-omero.conf.j2
index de7d9526..a00cac89 100644
--- a/playbooks/templates/nginx-omero.conf.j2
+++ b/playbooks/templates/nginx-omero.conf.j2
@@ -9,7 +9,8 @@ server {
 
     ssl_certificate {{ ssl_certificate_bundled_path }};
     ssl_certificate_key {{ ssl_certificate_key_path }};
-    ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols  TLSv1.2 TLSv1.3;  # don't use SSLv3 ref: POODLE
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 
     if ($ssl_protocol = "") {
         rewrite ^/(.*) https://$host/$1 permanent;