Slightly relax Cipher Suite hardening

This enables legacy software like apps on android 4.4.2 and matches the traefik configuration, where the specific cipher suite is already allowed.
author: Markus Richter <8398165+mqus@users.noreply.github.com> 2019-12-11 22:33:35 +0100
committer: Chocobozzz <chocobozzz@cpy.re> 2019-12-12 10:03:56 +0100
commit: 729c0f4d419ef5b6eb59d290950c3378f9f17191 (patch)
tree: f5507274af3912009d5c866f67d883de24759d52
parent: c82bf36a3f61fe051a2ead506a6f7b90d083bb32 (diff)
download: PeerTube-729c0f4d419ef5b6eb59d290950c3378f9f17191.tar.gz
PeerTube-729c0f4d419ef5b6eb59d290950c3378f9f17191.tar.zst
PeerTube-729c0f4d419ef5b6eb59d290950c3378f9f17191.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube
index a278524ba..08fae2928 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -25,7 +25,7 @@ server {
  # Security hardening (as of 11/02/2018)
  ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
  ssl_prefer_server_ciphers on;
-  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-SHA'; # AES256-SHA alias TLS_RSA_WITH_AES_256_CBC_SHA is neccessary for apps on older clients such as android 4.4.2, where more modern cipher suites are not supported.
  # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
  ssl_session_timeout  10m;
  ssl_session_cache shared:SSL:10m;
author	Markus Richter <8398165+mqus@users.noreply.github.com>	2019-12-11 22:33:35 +0100
committer	Chocobozzz <chocobozzz@cpy.re>	2019-12-12 10:03:56 +0100
commit	729c0f4d419ef5b6eb59d290950c3378f9f17191 (patch)
tree	f5507274af3912009d5c866f67d883de24759d52
parent	c82bf36a3f61fe051a2ead506a6f7b90d083bb32 (diff)
download	PeerTube-729c0f4d419ef5b6eb59d290950c3378f9f17191.tar.gz PeerTube-729c0f4d419ef5b6eb59d290950c3378f9f17191.tar.zst PeerTube-729c0f4d419ef5b6eb59d290950c3378f9f17191.zip

diff --git a/support/nginx/peertube b/support/nginx/peertube index a278524ba..08fae2928 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube
@@ -25,7 +25,7 @@ server {
25	# Security hardening (as of 11/02/2018)	25	# Security hardening (as of 11/02/2018)
26	ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0	26	ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
27	ssl_prefer_server_ciphers on;	27	ssl_prefer_server_ciphers on;
28	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';	28	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-SHA'; # AES256-SHA alias TLS_RSA_WITH_AES_256_CBC_SHA is neccessary for apps on older clients such as android 4.4.2, where more modern cipher suites are not supported.
29	# ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script	29	# ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
30	ssl_session_timeout 10m;	30	ssl_session_timeout 10m;
31	ssl_session_cache shared:SSL:10m;	31	ssl_session_cache shared:SSL:10m;