Slavi Pantaleev
6 jaren geleden
6 gewijzigde bestanden met toevoegingen van 15 en 6 verwijderingen
-
+9 -0CHANGELOG.md
-
+1 -1docs/configuring-playbook-own-webserver.md
-
+1 -1examples/apache/matrix-dimension.conf
-
+1 -1examples/apache/matrix-riot-web.conf
-
+2 -2examples/apache/matrix-synapse.conf
-
+1 -1roles/matrix-nginx-proxy/defaults/main.yml
+ 9
- 0
CHANGELOG.md
Bestand weergeven
| @@ -1,3 +1,12 @@ | |||||
| # 2020-01-30 | |||||
| ## Disabling TLSv1.1 | |||||
| To improve security, we've removed TLSv1.1 support from our default matrix-nginx-proxy configuration. | |||||
| If you need to support old clients, you can re-enable it with the following configuration: `matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"` | |||||
| # 2020-01-21 | # 2020-01-21 | ||||
| ## Postgres collation changes (action required!) | ## Postgres collation changes (action required!) | ||||
+ 1
- 1
docs/configuring-playbook-own-webserver.md
Bestand weergeven
| @@ -52,7 +52,7 @@ Note that if your nginx version is old, it might not like our default choice of | |||||
| ```yaml | ```yaml | ||||
| # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. | # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. | ||||
| matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" | |||||
| matrix_nginx_proxy_ssl_protocols: "TLSv1.2" | |||||
| ``` | ``` | ||||
+ 1
- 1
examples/apache/matrix-dimension.conf
Bestand weergeven
| @@ -26,7 +26,7 @@ | |||||
| SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem | SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem | ||||
| SSLProxyEngine on | SSLProxyEngine on | ||||
| SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 | |||||
| SSLProxyProtocol +TLSv1.2 +TLSv1.3 | |||||
| SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | ||||
| ProxyPreserveHost On | ProxyPreserveHost On | ||||
+ 1
- 1
examples/apache/matrix-riot-web.conf
Bestand weergeven
| @@ -26,7 +26,7 @@ | |||||
| SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem | SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem | ||||
| SSLProxyEngine on | SSLProxyEngine on | ||||
| SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 | |||||
| SSLProxyProtocol +TLSv1.2 +TLSv1.3 | |||||
| SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | ||||
| ProxyPreserveHost On | ProxyPreserveHost On | ||||
+ 2
- 2
examples/apache/matrix-synapse.conf
Bestand weergeven
| @@ -26,7 +26,7 @@ | |||||
| SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem | SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem | ||||
| SSLProxyEngine on | SSLProxyEngine on | ||||
| SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 | |||||
| SSLProxyProtocol +TLSv1.2 +TLSv1.3 | |||||
| SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | ||||
| ProxyPreserveHost On | ProxyPreserveHost On | ||||
| @@ -103,7 +103,7 @@ Listen 8448 | |||||
| SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem | SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem | ||||
| SSLProxyEngine on | SSLProxyEngine on | ||||
| SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 | |||||
| SSLProxyProtocol +TLSv1.2 +TLSv1.3 | |||||
| SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | ||||
| ProxyPreserveHost On | ProxyPreserveHost On | ||||
+ 1
- 1
roles/matrix-nginx-proxy/defaults/main.yml
Bestand weergeven
| @@ -160,7 +160,7 @@ matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] | |||||
| matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" | matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" | ||||
| # Specifies which SSL protocols to use when serving Riot and Synapse | # Specifies which SSL protocols to use when serving Riot and Synapse | ||||
| matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" | |||||
| matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" | |||||
| # Controls whether the self-check feature should validate SSL certificates. | # Controls whether the self-check feature should validate SSL certificates. | ||||
| matrix_nginx_proxy_self_check_validate_certificates: true | matrix_nginx_proxy_self_check_validate_certificates: true | ||||