[Pkg-nginx-maintainers] Bug#915499: nginx: ship a snippet for strong SSL options
Thomas Ward
teward at dark-net.net
Fri Dec 28 15:51:57 GMT 2018
If we intend to go down this route, then we need to actually ship *two*
snippets - to use Mozilla's TLS guide phrasing, one for 'modern', and one
for 'intermediate'. The number of 'legacy' devices still out there
requires that we not just go for the strongest options by default.
This being said... this would require regular updates as ciphers and
standards change. Which means frequently updating the snippet.
On Fri, Dec 28, 2018, 08:14 Sampo Sorsa <sorsasampo at protonmail.com wrote:
> Hello,
>
> No deeper research on my part. I just noticed the mailman3 snippet, and
> figured it's probably not a good idea to ship different SSL harderning
> snippets in various packages. Maintainers of apache2/nginx are probably in
> the best position to determine SSL options that are compatible with Debian,
> and maintaining their relevancy.
>
> --
> Sampo Sorsa
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, December 4, 2018 9:55 PM, Thomas Ward <teward at dark-net.net>
> wrote:
>
> I should point out that "strong" options are typically only for the most
> modern grades of interactivity of SSL compatibility. Therefore
> Cipherli.st's recommendations are not altogether the most same approach to
> this even if it's a non-default config snippet.
>
> Permit me to ask this, but what basis is being used by you to determine
> "strong" options here? Purely cipherli.st or other sources of research
> as well to support the "strong" definition in this case?
>
>
> Thomas
>
> On Tue, Dec 4, 2018, 01:42 Sampo Sorsa <sorsasampo at protonmail.com wrote:
>
>> Source: nginx
>> Severity: wishlist
>>
>> nginx could ship with /etc/nginx/snippets/ssl-strong.conf that contains
>> strong SSL options that can be included easily.
>>
>> Currently at least mailman3 ships with /etc/mailman3/nginx.conf
>> containing SSL options. It would be a good idea to provide these in one
>> place and just include in other packages.
>>
>>
>> Perhaps consider relevant parts of https://cipherli.st/
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nginx-maintainers/attachments/20181228/cf8835d1/attachment.html>
More information about the Pkg-nginx-maintainers
mailing list