Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLSv1 TLSv1.1 Deprecated #42

Closed
insanehong opened this issue Nov 23, 2018 · 3 comments
Closed

TLSv1 TLSv1.1 Deprecated #42

insanehong opened this issue Nov 23, 2018 · 3 comments

Comments

@insanehong
Copy link

insanehong commented Nov 23, 2018
edited

Site Main Example code use TLSv1(June 18, 2018, Deprecated ) TLSv1.1((December 20, 2018, Soon)

https://tools.ietf.org/id/draft-moriarty-tls-oldversions-diediedie-00.html

# Generated by nginxconfig.io

user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;

events {
	multi_accept on;
	worker_connections 65535;
}

http {
	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	log_not_found off;
	types_hash_max_size 2048;
	client_max_body_size 16M;

	# MIME
	include mime.types;
	default_type application/octet-stream;

	# logging
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log warn;

	# SSL
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites
	ssl_dhparam /etc/nginx/dhparam.pem;

	# intermediate configuration
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
	ssl_prefer_server_ciphers on;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
	resolver_timeout 2s;

	# load configs
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}
@insanehong insanehong changed the title TLSv1 TLSv1.1 Deprecated TLSv1 Deprecated Nov 23, 2018
@insanehong insanehong changed the title TLSv1 Deprecated TLSv1 TLSv1.1 Deprecated Nov 23, 2018
@0xb4lint
Copy link

nginxconfig.io is using the Mozilla SSL Configuration Generator's logic, the default SSL profile is intermediate. Are you suggesting to changing the default preset to modern?

@Trozz
Copy link

Trozz commented Nov 25, 2018

if we follow what is suggested by the IETF then we should look for modern to become default, or we can commit to Mozilla's repo first and then push to here, but that way around seems a bit redundant when we could open PRs for both repos

@0xb4lint
Copy link

0xb4lint commented Dec 2, 2018

I've commited 1801707.
Also waiting for mozilla/server-side-tls#191 and mozilla/server-side-tls#217.

@0xb4lint 0xb4lint mentioned this issue Feb 17, 2019
Closed
argosback pushed a commit to argosback/nginxconfig.io that referenced this issue May 6, 2019
@0xb4lint @argosback
enabled TLSv1.3, replaced SSL profiles logic to OWASP
655315c 
fixes digitalocean#42, fixes digitalocean#82
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Trozz @insanehong @0xb4lint