Disable TLSv1.1 by default

před 6 roky · f18037ae42
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,12 @@
 # 2020-01-30

 ## Disabling TLSv1.1

 To improve security, we've removed TLSv1.1 support from our default matrix-nginx-proxy configuration.

 If you need to support old clients, you can re-enable it with the following configuration: `matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"`


 # 2020-01-21

 ## Postgres collation changes (action required!)
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@@ -52,7 +52,7 @@ Note that if your nginx version is old, it might not like our default choice of

 ```yaml
 # Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
 matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
 matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
 ```


--- a/examples/apache/matrix-dimension.conf
+++ b/examples/apache/matrix-dimension.conf
@@ -26,7 +26,7 @@
 	SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem

 	SSLProxyEngine on
 	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
 	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 	ProxyPreserveHost On
--- a/examples/apache/matrix-riot-web.conf
+++ b/examples/apache/matrix-riot-web.conf
@@ -26,7 +26,7 @@
 	SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem

 	SSLProxyEngine on
 	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
 	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 	ProxyPreserveHost On
--- a/examples/apache/matrix-synapse.conf
+++ b/examples/apache/matrix-synapse.conf
@@ -26,7 +26,7 @@
 	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem

 	SSLProxyEngine on
 	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
 	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 	ProxyPreserveHost On
@@ -103,7 +103,7 @@ Listen 8448
 	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem

 	SSLProxyEngine on
 	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
 	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 	ProxyPreserveHost On
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -160,7 +160,7 @@ matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
 matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"

 # Specifies which SSL protocols to use when serving Riot and Synapse
 matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
 matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"

 # Controls whether the self-check feature should validate SSL certificates.
 matrix_nginx_proxy_self_check_validate_certificates: true