Improve TLS settings based on Mozilla config generator.

Lengthen the session timeout and enlarge the session cache. Disable session tickets (see mozilla/server-side-tls#135). Upgrade Diffie-Hellman parameters from fixed 1024-bit to custom 2048-bit. Enable server-preferred cipher ordering, and OCSP stapling. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
andersk · Mar 9, 2019 · b761ae6 · b761ae6
1 parent 399aa43
commit b761ae6
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/puppet/zulip/files/nginx/nginx.conf b/puppet/zulip/files/nginx/nginx.conf
@@ -50,10 +50,18 @@ http {
         ''      close;
     }
 
+    # https://wiki.mozilla.org/Security/Server_Side_TLS intermediate profile
     ssl_prefer_server_ciphers On;
-    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    ssl_dhparam /etc/nginx/dhparam.pem;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
+    ssl_prefer_server_ciphers on;
+    ssl_stapling on;
+    ssl_stapling_verify_on;
+    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
 
 
     include /etc/nginx/conf.d/*.conf;

diff --git a/puppet/zulip/manifests/nginx.pp b/puppet/zulip/manifests/nginx.pp
@@ -58,9 +58,15 @@
     source  => $uploads_route,
   }
 
+  exec { 'dhparam':
+    command => 'openssl dhparam -out /etc/nginx/dhparam.pem 2048',
+    creates => '/etc/nginx/dhparam.pem',
+    require => Package['openssl'],
+  }
+
   file { '/etc/nginx/nginx.conf':
     ensure  => file,
-    require => Package[$zulip::common::nginx],
+    require => Package[$zulip::common::nginx, 'ca-certificates'],
     owner   => 'root',
     group   => 'root',
     mode    => '0644',