Merge pull request #27 from aaronraimist/disable-tls1.0
Disable TLS 1.0
This commit is contained in:
commit
94bd5acc1a
11
CHANGELOG.md
11
CHANGELOG.md
|
@ -1,3 +1,14 @@
|
||||||
|
# 2018-11-03
|
||||||
|
|
||||||
|
## SSL protocols used to serve Riot and Synapse
|
||||||
|
|
||||||
|
There's now a new `matrix_nginx_proxy_ssl_protocols` playbook variable, which controls the SSL protocols used to serve Riot and Synapse. It's default value is `TLSv1.1 TLSv1.2`. This playbook previously used `TLSv1 TLSv1.1 TLSv1.2` to serve Riot and Synapse.
|
||||||
|
|
||||||
|
You may wish to reenable TLSv1 if you need to access Riot in older browsers.
|
||||||
|
|
||||||
|
Note: Currently the dockerized nginx doesn't support TLSv1.3. See https://github.com/nginxinc/docker-nginx/issues/190 for more details.
|
||||||
|
|
||||||
|
|
||||||
# 2018-11-01
|
# 2018-11-01
|
||||||
|
|
||||||
## Postgres 11 support
|
## Postgres 11 support
|
||||||
|
|
|
@ -294,6 +294,11 @@ matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:8008"
|
||||||
# a new SSL certificate could go into effect.
|
# a new SSL certificate could go into effect.
|
||||||
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
|
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
|
||||||
|
|
||||||
|
# Specifies which SSL protocols to use when serving Riot and Synapse
|
||||||
|
# Note TLSv1.3 is not yet available in dockerized nginx
|
||||||
|
# See: https://github.com/nginxinc/docker-nginx/issues/190
|
||||||
|
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
|
||||||
|
|
||||||
|
|
||||||
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
|
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
|
||||||
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
|
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
|
||||||
|
|
|
@ -35,7 +35,7 @@ server {
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/fullchain.pem;
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/fullchain.pem;
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/privkey.pem;
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/privkey.pem;
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||||
|
|
||||||
|
|
|
@ -35,7 +35,7 @@ server {
|
||||||
|
|
||||||
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/fullchain.pem;
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/fullchain.pem;
|
||||||
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/privkey.pem;
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/privkey.pem;
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue