Insecure tlsv10 and tlsv11 ciphers in Stratos UI, bsc#1173295 (#411) (#…

…4460) Co-authored-by: Michal Jura <mjura@users.noreply.github.com>
cloudfoundry · Jul 22, 2020 · 17f4f11 · 17f4f11
1 parent 560b524
commit 17f4f11
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/deploy/containers/nginx/conf/nginx.dev.conf b/deploy/containers/nginx/conf/nginx.dev.conf
@@ -47,8 +47,9 @@ http {
 
         ssl_certificate             /etc/secrets/server.crt;
         ssl_certificate_key         /etc/secrets/server.key;
-        ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
-        ssl_ciphers                 HIGH:!aNULL:!MD5;
+        ssl_protocols               TLSv1.2 TLSv1.3;
+        ssl_ciphers                 ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers   on;
 
         client_max_body_size        50M;
 

diff --git a/deploy/containers/nginx/conf/nginx.k8s.conf b/deploy/containers/nginx/conf/nginx.k8s.conf
@@ -47,8 +47,9 @@ http {
 
         ssl_certificate             /CONSOLE_CERT_PATH/tls.crt;
         ssl_certificate_key         /CONSOLE_CERT_PATH/tls.key;
-        ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
-        ssl_ciphers                 HIGH:!aNULL:!MD5;
+        ssl_protocols               TLSv1.2 TLSv1.3;
+        ssl_ciphers                 ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers   on;
 
         client_max_body_size        50M;