From cc7be1309817a67072d8f4c24eae7b9a73d81a73 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Tue, 3 Oct 2017 11:44:01 -0400 Subject: [PATCH] update nginx cipher list to Mozilla's current intermediate ciphers and update HSTS header to be six months * The Mozilla recommendations must have been updated in the last few years. * The HSTS header must have >=6 months to get an A+ at ssllabs.com/ssltest. --- CHANGELOG.md | 8 ++++++++ conf/nginx-ssl.conf | 12 ++++++------ management/web_update.py | 4 ++-- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f48eef8..945d7f96 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,14 @@ CHANGELOG ========= +In Development +-------------- + +Web: + +* Updated cipher list to Mozilla's current intermediate recommendation. +* Updated HSTS header to use longer six month duration. + v0.24 (October 3, 2017) ----------------------- diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf index d6d3eb10..e893ad67 100644 --- a/conf/nginx-ssl.conf +++ b/conf/nginx-ssl.conf @@ -1,5 +1,5 @@ -# from: https://gist.github.com/konklone/6532544 -################################################################################### +# from https://gist.github.com/konklone/6532544 and https://mozilla.github.io/server-side-tls/ssl-config-generator/ +################################################################################################################### # Basically the nginx configuration I use at konklone.com. # I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com @@ -27,17 +27,17 @@ # # Reference client: https://www.ssllabs.com/ssltest/analyze.html ssl_prefer_server_ciphers on; -ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; +ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; # Cut out (the old, broken) SSLv3 entirely. # This **excludes IE6 users** and (apparently) Yandexbot. # Just comment out if you need to support IE6, bless your soul. ssl_protocols TLSv1.2 TLSv1.1 TLSv1; -# Turn on session resumption, using a 10 min cache shared across nginx processes, +# Turn on session resumption, using a cache shared across nginx processes, # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html -ssl_session_cache shared:SSL:10m; -ssl_session_timeout 10m; +ssl_session_cache shared:SSL:50m; +ssl_session_timeout 1d; #keepalive_timeout 70; # in Ubuntu 14.04/nginx 1.4.6 the default is 65, so plenty good # Buffer size of 1400 bytes fits in one MTU. diff --git a/management/web_update.py b/management/web_update.py index ffd1cff9..450ca7c5 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -158,9 +158,9 @@ def make_domain_config(domain, templates, ssl_certificates, env): # Add the HSTS header. if hsts == "yes": - nginx_conf_extra += "add_header Strict-Transport-Security max-age=31536000;\n" + nginx_conf_extra += "add_header Strict-Transport-Security max-age=15768000;\n" elif hsts == "preload": - nginx_conf_extra += "add_header Strict-Transport-Security \"max-age=10886400; includeSubDomains; preload\";\n" + nginx_conf_extra += "add_header Strict-Transport-Security \"max-age=15768000; includeSubDomains; preload\";\n" # Add in any user customizations in the includes/ folder. nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf")