2d98d70e02
Update nginx cipher suite and TLS protocols
...
Use latest Mozilla "intermediate" TLS settings. This configuration
works on (at least) Ubuntu 18.04 and Debian 10.
See: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate&openssl-version=1.1.1
2019-07-23 17:53:22 +03:00
10cbf75c27
group_vars/all: Disable TLS cipher suites using Triple DES
...
An attack on Triple DES was recently published[0]. It's not a very
high severity attack but the fact is that Triple DES is very old
and there are much better ciphers to use, like AES and ChaCha20.
I logged the ciphers that were negotiated on all of my vhosts over
a period of 72 hours and there were zero occurences of Triple DES,
so I am removing it, as suggested by the authors of the attack as
well as OpenSSL[1].
[0] https://sweet32.info
[1] https://www.openssl.org/blog/blog/2016/08/24/sweet32/
2016-08-27 18:25:37 +03:00
c3dc5dc0aa
group_vars/all: Update TLS cipher suite to latest Mozilla "Intermediate" recommendations
...
See: https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-08 12:45:58 +02:00
5c0a7c2c72
group_vars/all: Update TLS cipher suite
...
Use latest Mozilla intermediate suite:
https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-02 15:11:57 +03:00
54993d6d6b
Update tls cipher suite with latest string from Mozilla TLS guide
...
https://wiki.mozilla.org/Security/Server_Side_TLS states"
Version 3.3: ulfr: fix SHA256 prio, add POODLE details, update various templates
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-25 12:36:19 +03:00
81a98596e3
Downgrade TLS configuration to Mozilla's "intermediate" spec
...
From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...
https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org
https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 21:09:18 +03:00
ad8a704470
Update TLS configuration to Mozilla's "modern" spec
...
Details, see:
- https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines
- https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:56:08 +03:00
1e54507b05
group_vars/all: Remove host-specific configs
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-25 11:45:08 +03:00
60b8ecdd4c
Initial commit
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-17 00:35:57 +03:00