[Pkg-nginx-maintainers] Bug#915499: nginx: ship a snippet for strong SSL options

[Sampo Sorsa]

Hello,

No deeper research on my part. I just noticed the mailman3 snippet, and figured it's probably not a good idea to ship different SSL harderning snippets in various packages. Maintainers of apache2/nginx are probably in the best position to determine SSL options that are compatible with Debian, and maintaining their relevancy.

--
Sampo Sorsa

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, December 4, 2018 9:55 PM, Thomas Ward <teward at dark-net.net> wrote:

> I should point out that "strong" options are typically only for the most modern grades of interactivity of SSL compatibility.  Therefore Cipherli.st's recommendations are not altogether the most same approach to this even if it's a non-default config snippet.
>
> Permit me to ask this, but what basis is being used by you to determine "strong" options here?  Purely cipherli.st or other sources of research as well to support the "strong" definition in this case?
>
> Thomas
>
> On Tue, Dec 4, 2018, 01:42 Sampo Sorsa <sorsasampo at protonmail.com wrote:
>
>> Source: nginx
>> Severity: wishlist
>>
>> nginx could ship with /etc/nginx/snippets/ssl-strong.conf that contains strong SSL options that can be included easily.
>>
>> Currently at least mailman3 ships with /etc/mailman3/nginx.conf containing SSL options. It would be a good idea to provide these in one place and just include in other packages.
>>
>> Perhaps consider relevant parts of https://cipherli.st/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nginx-maintainers/attachments/20181228/a4841b09/attachment.html>