alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
872 Commits 2 Branches 0 Tags 4.2 MiB
65e6dd34cd
Commit Graph

9 Commits

Author SHA1 Message Date
Alan Orth
2d98d70e02
Update nginx cipher suite and TLS protocols 
Use latest Mozilla "intermediate" TLS settings. This configuration
works on (at least) Ubuntu 18.04 and Debian 10.

See: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate&openssl-version=1.1.1
 2019-07-23 17:53:22 +03:00
Alan Orth
10cbf75c27
group_vars/all: Disable TLS cipher suites using Triple DES 
An attack on Triple DES was recently published[0]. It's not a very
high severity attack but the fact is that Triple DES is very old
and there are much better ciphers to use, like AES and ChaCha20.

I logged the ciphers that were negotiated on all of my vhosts over
a period of 72 hours and there were zero occurences of Triple DES,
so I am removing it, as suggested by the authors of the attack as
well as OpenSSL[1].

[0] https://sweet32.info
[1] https://www.openssl.org/blog/blog/2016/08/24/sweet32/
 2016-08-27 18:25:37 +03:00
Alan Orth
c3dc5dc0aa
group_vars/all: Update TLS cipher suite to latest Mozilla "Intermediate" recommendations 
See: https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2016-03-08 12:45:58 +02:00
Alan Orth
5c0a7c2c72 group_vars/all: Update TLS cipher suite 
Use latest Mozilla intermediate suite:

https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-09-02 15:11:57 +03:00
Alan Orth
54993d6d6b
Update tls cipher suite with latest string from Mozilla TLS guide 
https://wiki.mozilla.org/Security/Server_Side_TLS states"

    Version 3.3: ulfr: fix SHA256 prio, add POODLE details, update various templates

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-25 12:36:19 +03:00
Alan Orth
81a98596e3
Downgrade TLS configuration to Mozilla's "intermediate" spec 
From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...

https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org
https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-09 21:09:18 +03:00
Alan Orth
ad8a704470
Update TLS configuration to Mozilla's "modern" spec 
Details, see:

- https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines
- https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-09 20:56:08 +03:00
Alan Orth
1e54507b05
group_vars/all: Remove host-specific configs 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-25 11:45:08 +03:00
Alan Orth
60b8ecdd4c
Initial commit 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-17 00:35:57 +03:00