Skip to content
Snippets Groups Projects

Add setting to disable nginx TLS cipher config

Merged mal requested to merge half-duplex/ansible:ngx-no-tls-clobber into master

I configure TLS settings in the http{} block in my /etc/nginx/nginx.conf. Attempting to override these settings:

  • Interferes with my cipher choices and TLS config on other sites
  • In my case (probably because of TLSv1.3), causes the funkwhale site to fail to load with SSL_ERROR_ILLEGAL_PARAMETER_ALERT

This PR adds the funkwhale_nginx_tls_configure_ciphers var to disable funkwhale's overriding of the following settings:

    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

The default of true maintains the current behavior for indifferent users.

Merge request reports

Pipeline #12262 passed

Pipeline passed for bf3f5aec on half-duplex:ngx-no-tls-clobber

Merged by AgateAgate 4 years ago (Oct 1, 2020 7:13am UTC)

Loading

Pipeline #12290 canceled

Pipeline canceled for 61156d14 on master

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply
Loading