diff options
author | Andrew Geissler <geissonator@yahoo.com> | 2018-05-31 07:02:43 -0700 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-06-04 17:46:45 +0000 |
commit | ca4097f1a205cb17be82ea071df088e78d031170 (patch) | |
tree | 6eb281878d9779f60ecddc9263c52436b519d458 | |
parent | a9603e068bdd7b6311d1fcec1e6b62980ac846d8 (diff) | |
download | talos-openbmc-ca4097f1a205cb17be82ea071df088e78d031170.tar.gz talos-openbmc-ca4097f1a205cb17be82ea071df088e78d031170.zip |
Move nginx ciphers to mozilla guidelines
Update the supported ciphers to those under the
"Modern" section for mozilla.
https://wiki.mozilla.org/Security/Server_Side_TLS
Resolves openbmc/openbmc#3209
Tested: Built image and verified nginx correctly starts
and REST api't still work as expected.
Change-Id: I6692b42b6a1dec10e51b72654e75da4f0c0d3b99
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
-rw-r--r-- | meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf index a626e4ad3..74010f9db 100644 --- a/meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf +++ b/meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf @@ -14,6 +14,8 @@ events { # Note that a lot of these settings come from the OWASP Secure # Configuration guide for nginx # https://www.owasp.org/index.php/SCG_WS_nginx +# and the mozilla security guidelines +# https://wiki.mozilla.org/Security/Server_Side_TLS http { include mime.types; @@ -59,8 +61,7 @@ http { ssl_certificate_key @CERTPATH@/cert.pem; ssl_session_timeout 5m; ssl_protocols TLSv1.2; - ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH"; - + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; ssl_prefer_server_ciphers on; location / { |