finallycoffee/matrix-docker-ansible-deploy
finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Disable TLSv1.1 by default

Browse Source
This commit is contained in:
Slavi Pantaleev 2020-01-30 12:56:20 +02:00
parent f9a67624e1
commit f18037ae42
6 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGELOG.md
View File

@ -1,3 +1,12 @@
# 2020-01-30
## Disabling TLSv1.1
To improve security, we've removed TLSv1.1 support from our default matrix-nginx-proxy configuration.
If you need to support old clients, you can re-enable it with the following configuration: `matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"`
# 2020-01-21 # 2020-01-21
## Postgres collation changes (action required!) ## Postgres collation changes (action required!)

2
docs/configuring-playbook-own-webserver.md
View File

@ -52,7 +52,7 @@ Note that if your nginx version is old, it might not like our default choice of
```yaml ```yaml
# Custom protocol list (removing `TLSv1.3`) to suit your nginx version. # Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
``` ```

2
examples/apache/matrix-dimension.conf
View File

@ -26,7 +26,7 @@
SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem
SSLProxyEngine on SSLProxyEngine on
SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On ProxyPreserveHost On

2
examples/apache/matrix-riot-web.conf
View File

@ -26,7 +26,7 @@
SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem
SSLProxyEngine on SSLProxyEngine on
SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On ProxyPreserveHost On

4
examples/apache/matrix-synapse.conf
View File

@ -26,7 +26,7 @@
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
SSLProxyEngine on SSLProxyEngine on
SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On ProxyPreserveHost On
@ -103,7 +103,7 @@ Listen 8448
SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem
SSLProxyEngine on SSLProxyEngine on
SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 SSLProxyProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ProxyPreserveHost On ProxyPreserveHost On

2
roles/matrix-nginx-proxy/defaults/main.yml
View File

@ -160,7 +160,7 @@ matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
# Specifies which SSL protocols to use when serving Riot and Synapse # Specifies which SSL protocols to use when serving Riot and Synapse
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"
# Controls whether the self-check feature should validate SSL certificates. # Controls whether the self-check feature should validate SSL certificates.
matrix_nginx_proxy_self_check_validate_certificates: true matrix_nginx_proxy_self_check_validate_certificates: true