aboutsummaryrefslogtreecommitdiffhomepage
path: root/support
diff options
context:
space:
mode:
authorMarkus Richter <8398165+mqus@users.noreply.github.com>2019-12-11 22:33:35 +0100
committerChocobozzz <chocobozzz@cpy.re>2019-12-12 10:03:56 +0100
commit729c0f4d419ef5b6eb59d290950c3378f9f17191 (patch)
treef5507274af3912009d5c866f67d883de24759d52 /support
parentc82bf36a3f61fe051a2ead506a6f7b90d083bb32 (diff)
downloadPeerTube-729c0f4d419ef5b6eb59d290950c3378f9f17191.tar.gz
PeerTube-729c0f4d419ef5b6eb59d290950c3378f9f17191.tar.zst
PeerTube-729c0f4d419ef5b6eb59d290950c3378f9f17191.zip
Slightly relax Cipher Suite hardening
This enables legacy software like apps on android 4.4.2 and matches the traefik configuration, where the specific cipher suite is already allowed.
Diffstat (limited to 'support')
-rw-r--r--support/nginx/peertube2
1 files changed, 1 insertions, 1 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube
index a278524ba..08fae2928 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -25,7 +25,7 @@ server {
25 # Security hardening (as of 11/02/2018) 25 # Security hardening (as of 11/02/2018)
26 ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0 26 ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0
27 ssl_prefer_server_ciphers on; 27 ssl_prefer_server_ciphers on;
28 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; 28 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-SHA'; # AES256-SHA alias TLS_RSA_WITH_AES_256_CBC_SHA is neccessary for apps on older clients such as android 4.4.2, where more modern cipher suites are not supported.
29 # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script 29 # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script
30 ssl_session_timeout 10m; 30 ssl_session_timeout 10m;
31 ssl_session_cache shared:SSL:10m; 31 ssl_session_cache shared:SSL:10m;