Skip to content
Snippets Groups Projects

Add setting to disable nginx TLS cipher config

Merged Add setting to disable nginx TLS cipher config
half-duplex/ansible:ngx-no-tls-clobber into master
Merged mal requested to merge half-duplex/ansible:ngx-no-tls-clobber into master

I configure TLS settings in the http{} block in my /etc/nginx/nginx.conf. Attempting to override these settings:

  • Interferes with my cipher choices and TLS config on other sites
  • In my case (probably because of TLSv1.3), causes the funkwhale site to fail to load with SSL_ERROR_ILLEGAL_PARAMETER_ALERT

This PR adds the funkwhale_nginx_tls_configure_ciphers var to disable funkwhale's overriding of the following settings:

    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

The default of true maintains the current behavior for indifferent users.

Merge request reports

Pipeline #12262 passed

Stage: test

    Pipeline passed for bf3f5aec on half-duplex:ngx-no-tls-clobber

    Merged by AgateAgate 4 years ago (Oct 1, 2020 7:13am UTC)

    Loading

    Pipeline #12290 canceled

    Stage: test
      Stage: deploy

        Pipeline canceled for 61156d14 on master

        Activity

        Filter activity
        • Approvals
        • Assignees & reviewers
        • Comments (from bots)
        • Comments (from users)
        • Commits & branches
        • Edits
        • Labels
        • Lock status
        • Mentions
        • Merge request status
        • Tracking
        Please register or sign in to reply