request #10924: Update default configuration TLS cipher suites (early…

… 2018 edition)
Enalean · Jan 29, 2018 · 41350e5 · 41350e5
1 parent 01806d3
commit 41350e5
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 5 deletions.
diff --git a/languages/en/administration-guide/advanced-deployments.rst b/languages/en/administration-guide/advanced-deployments.rst
@@ -51,8 +51,8 @@ Configure Nginx
         # You can generated the file with openssl dhparam -out /path/to/dhparam.pem 2048
         ssl_dhparam /path/to/dhparam.pem;
 
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+        ssl_protocols TLSv1.2;
+        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
         ssl_prefer_server_ciphers on;
 
         # ++ Cache media (not mandatory for reverse proxy)

diff --git a/languages/en/administration-guide/distributed-tuleap.rst b/languages/en/administration-guide/distributed-tuleap.rst
@@ -65,7 +65,7 @@ Services
   * The database needs to be **MySQL 5.6**
   * The SVN repository needs to be **svn/wandisco 1.8** or newer
   * You need **Redis 3.2** or newer
-  * You need **RabbitMQ 3.3** or newer 
+  * You need **RabbitMQ 3.3** or newer
 
 On the MySQL server
 '''''''''''''''''''
@@ -396,8 +396,8 @@ Deploy ``/etc/nginx/conf.d/http/tuleap.conf``:
         ssl_session_cache shared:SSL:50m;
         ssl_session_tickets off;
 
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+        ssl_protocols TLSv1.2;
+        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
         ssl_prefer_server_ciphers on;
 
         client_max_body_size 50M;

diff --git a/languages/en/deployment-guide/intro.rst b/languages/en/deployment-guide/intro.rst
@@ -46,6 +46,26 @@ To protect users, new cookies protection have been implemented. To make these
 protections as effective as possible you should make sure the setting ``sys_https_host``
 is not left empty in your ``local.inc`` if your Tuleap instance is reachable over HTTPS.
 
+
+Update default TLS configuration
+--------------------------------
+
+With this release we have updated the default TLS nginx configuration we provide
+by default with Tuleap.
+This change ensure the safest encryption settings will be used between browsers
+and your Tuleap instance.
+
+All new instances of Tuleap will use this configuration by default but if you already
+have an installation, your configuration will be left untouched.
+
+We encourage you to update it. To do it, replace the lines ``ssl_protocols`` and
+``ssl_ciphers`` in ``/etc/nginx/conf.d/tuleap.conf``::
+
+  # modern configuration. tweak to your needs.
+  ssl_protocols TLSv1.2;
+  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+  ssl_prefer_server_ciphers on;
+
 Tuleap 9.16
 ===========