Replaceing old TLS versions and insecure ciphers #414
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
NEVER use SSL / TLS in outdated versions or insecure / oudated ciphers. Current state-of-the-art TLS Versions are TLSv1.2 and TLSv1.3. TLSv1.2 is only enabled for backwards compatibility. Ciphers are taken out of the guide. ```ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;``` Are the recommended ciphers out of source 4 in combination of all other sources. source 1: https://www.linuxtechi.com/harden-secure-nginx-web-server-linux source 2: https://beaglesecurity.com/blog/article/nginx-server-security.html source 3: https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/ source 4: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of the issue/feature this PR addresses:
NEVER use SSL / TLS in outdated versions or insecure / oudated ciphers. Current state-of-the-art TLS Versions are TLSv1.2 and TLSv1.3. TLSv1.2 is only enabled for backwards compatibility. Ciphers are taken out of the guide.
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;Are the recommended ciphers out of source 4 in combination of all other sources.
source 1: https://www.linuxtechi.com/harden-secure-nginx-web-server-linux
source 2: https://beaglesecurity.com/blog/article/nginx-server-security.html
source 3: https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
source 4: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
Current behavior before PR:
Using outdated TLS versions and SSL ciphers.
Desired behavior after PR is merged:
solved that issue, could be a bit slower and drops support for old systems. However, most systems using TLSv1.2 and TLSv1.3. If downgrading is needed the git commit history shows the old file, which can be taken.