diff options
author | Markus Richter <8398165+mqus@users.noreply.github.com> | 2019-12-11 22:33:35 +0100 |
---|---|---|
committer | Chocobozzz <chocobozzz@cpy.re> | 2019-12-12 10:03:56 +0100 |
commit | 729c0f4d419ef5b6eb59d290950c3378f9f17191 (patch) | |
tree | f5507274af3912009d5c866f67d883de24759d52 /support | |
parent | c82bf36a3f61fe051a2ead506a6f7b90d083bb32 (diff) | |
download | PeerTube-729c0f4d419ef5b6eb59d290950c3378f9f17191.tar.gz PeerTube-729c0f4d419ef5b6eb59d290950c3378f9f17191.tar.zst PeerTube-729c0f4d419ef5b6eb59d290950c3378f9f17191.zip |
Slightly relax Cipher Suite hardening
This enables legacy software like apps on android 4.4.2 and matches the traefik configuration, where the specific cipher suite is already allowed.
Diffstat (limited to 'support')
-rw-r--r-- | support/nginx/peertube | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/support/nginx/peertube b/support/nginx/peertube index a278524ba..08fae2928 100644 --- a/support/nginx/peertube +++ b/support/nginx/peertube | |||
@@ -25,7 +25,7 @@ server { | |||
25 | # Security hardening (as of 11/02/2018) | 25 | # Security hardening (as of 11/02/2018) |
26 | ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0 | 26 | ssl_protocols TLSv1.2; # TLSv1.3, TLSv1.2 if nginx >= 1.13.0 |
27 | ssl_prefer_server_ciphers on; | 27 | ssl_prefer_server_ciphers on; |
28 | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | 28 | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-SHA'; # AES256-SHA alias TLS_RSA_WITH_AES_256_CBC_SHA is neccessary for apps on older clients such as android 4.4.2, where more modern cipher suites are not supported. |
29 | # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script | 29 | # ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0, not compatible with import-videos script |
30 | ssl_session_timeout 10m; | 30 | ssl_session_timeout 10m; |
31 | ssl_session_cache shared:SSL:10m; | 31 | ssl_session_cache shared:SSL:10m; |