From f333d8cab9c91941e7fe441d7c55db9d6d0051c2 Mon Sep 17 00:00:00 2001 From: Michal Jura Date: Mon, 20 Jul 2020 12:15:25 +0200 Subject: [PATCH] Insecure tlsv10 and tlsv11 ciphers in Stratos UI, bsc#1173295 (#411) --- deploy/containers/nginx/conf/nginx.dev.conf | 5 +++-- deploy/containers/nginx/conf/nginx.k8s.conf | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/deploy/containers/nginx/conf/nginx.dev.conf b/deploy/containers/nginx/conf/nginx.dev.conf index 05a2573e92..23719b11b9 100644 --- a/deploy/containers/nginx/conf/nginx.dev.conf +++ b/deploy/containers/nginx/conf/nginx.dev.conf @@ -47,8 +47,9 @@ http { ssl_certificate /etc/secrets/server.crt; ssl_certificate_key /etc/secrets/server.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_prefer_server_ciphers on; client_max_body_size 50M; diff --git a/deploy/containers/nginx/conf/nginx.k8s.conf b/deploy/containers/nginx/conf/nginx.k8s.conf index 2d15a1c960..620b3fd3e3 100644 --- a/deploy/containers/nginx/conf/nginx.k8s.conf +++ b/deploy/containers/nginx/conf/nginx.k8s.conf @@ -47,8 +47,9 @@ http { ssl_certificate /CONSOLE_CERT_PATH/tls.crt; ssl_certificate_key /CONSOLE_CERT_PATH/tls.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + ssl_prefer_server_ciphers on; client_max_body_size 50M;