Commit Graph

9 Commits

Author SHA1 Message Date
2d98d70e02
Update nginx cipher suite and TLS protocols
Use latest Mozilla "intermediate" TLS settings. This configuration
works on (at least) Ubuntu 18.04 and Debian 10.

See: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate&openssl-version=1.1.1
2019-07-23 17:53:22 +03:00
10cbf75c27
group_vars/all: Disable TLS cipher suites using Triple DES
An attack on Triple DES was recently published[0]. It's not a very
high severity attack but the fact is that Triple DES is very old
and there are much better ciphers to use, like AES and ChaCha20.

I logged the ciphers that were negotiated on all of my vhosts over
a period of 72 hours and there were zero occurences of Triple DES,
so I am removing it, as suggested by the authors of the attack as
well as OpenSSL[1].

[0] https://sweet32.info
[1] https://www.openssl.org/blog/blog/2016/08/24/sweet32/
2016-08-27 18:25:37 +03:00
c3dc5dc0aa
group_vars/all: Update TLS cipher suite to latest Mozilla "Intermediate" recommendations
See: https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-08 12:45:58 +02:00
5c0a7c2c72 group_vars/all: Update TLS cipher suite
Use latest Mozilla intermediate suite:

https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-02 15:11:57 +03:00
54993d6d6b
Update tls cipher suite with latest string from Mozilla TLS guide
https://wiki.mozilla.org/Security/Server_Side_TLS states"

    Version 3.3: ulfr: fix SHA256 prio, add POODLE details, update various templates

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-25 12:36:19 +03:00
81a98596e3
Downgrade TLS configuration to Mozilla's "intermediate" spec
From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...

https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org
https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 21:09:18 +03:00
ad8a704470
Update TLS configuration to Mozilla's "modern" spec
Details, see:

- https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines
- https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:56:08 +03:00
1e54507b05
group_vars/all: Remove host-specific configs
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-25 11:45:08 +03:00
60b8ecdd4c
Initial commit
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-17 00:35:57 +03:00