From f18037ae42b3837ac14ab96f6868731069a5b6be Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 30 Jan 2020 12:56:20 +0200 Subject: [PATCH] Disable TLSv1.1 by default --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook-own-webserver.md | 2 +- examples/apache/matrix-dimension.conf | 2 +- examples/apache/matrix-riot-web.conf | 2 +- examples/apache/matrix-synapse.conf | 4 ++-- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 6 files changed, 15 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 620d8ec37..2f5f62f41 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2020-01-30 + +## Disabling TLSv1.1 + +To improve security, we've removed TLSv1.1 support from our default matrix-nginx-proxy configuration. + +If you need to support old clients, you can re-enable it with the following configuration: `matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"` + + # 2020-01-21 ## Postgres collation changes (action required!) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index bb958cd7a..d686c9470 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -52,7 +52,7 @@ Note that if your nginx version is old, it might not like our default choice of ```yaml # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. -matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" +matrix_nginx_proxy_ssl_protocols: "TLSv1.2" ``` diff --git a/examples/apache/matrix-dimension.conf b/examples/apache/matrix-dimension.conf index 9078cd87f..f334690e3 100644 --- a/examples/apache/matrix-dimension.conf +++ b/examples/apache/matrix-dimension.conf @@ -26,7 +26,7 @@ SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem SSLProxyEngine on - SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On diff --git a/examples/apache/matrix-riot-web.conf b/examples/apache/matrix-riot-web.conf index 857697859..0860a0489 100644 --- a/examples/apache/matrix-riot-web.conf +++ b/examples/apache/matrix-riot-web.conf @@ -26,7 +26,7 @@ SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem SSLProxyEngine on - SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On diff --git a/examples/apache/matrix-synapse.conf b/examples/apache/matrix-synapse.conf index f3f85d317..3e09121fa 100644 --- a/examples/apache/matrix-synapse.conf +++ b/examples/apache/matrix-synapse.conf @@ -26,7 +26,7 @@ SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem SSLProxyEngine on - SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On @@ -103,7 +103,7 @@ Listen 8448 SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem SSLProxyEngine on - SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3 + SSLProxyProtocol +TLSv1.2 +TLSv1.3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH ProxyPreserveHost On diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index d6388a984..8ab923cb7 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -160,7 +160,7 @@ matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # Specifies which SSL protocols to use when serving Riot and Synapse -matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3" +matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true