Skip to content
This repository has been archived by the owner on May 20, 2022. It is now read-only.

deactivate TLSv1 by default #242

Closed
cht47 opened this issue Mar 5, 2018 · 6 comments
Closed

deactivate TLSv1 by default #242

cht47 opened this issue Mar 5, 2018 · 6 comments
Assignees
@pichouk
Labels
Enhancement

Comments

@cht47
Copy link

cht47 commented Mar 5, 2018

Hi,
today I've seen that TLS 1.0 and 1.1 is on by default under web/mattermost-ssl
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

I recommend to reject at least TLSv1. Would be nice if we could edit it in the docker-compose.yml.
@pichouk
Copy link
Contributor

pichouk commented Mar 5, 2018

I'm okay to remove TLS1.0 since it seems that TLS1.1 is widely supported. If you have some others suggestions to improve TLS security on the web image I'll be happy to hear about them.

Would you like to submit a PR ? If yes, fell free to submit. Otherwise I can make the change.

@cht47
Copy link
Author

cht47 commented Mar 6, 2018
edited
Loading

Thanks, but you can make the change.

As I don't use the standard HTTPS port SSLLabs doesn't work for me to check for further vulnerabilities.

A recommendation (for a TLS1.2 config):
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA;
There is a huge explanation why these and why this order. Mozilla gives some information about this too.
Mozilla
and here you have a generator:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

Enabling HSTS would also be something to think about it. But that can be annoying with cert problems so I don't recommend it for this project.

Edit:
here are the settings my company uses for our cloud products. Our webservices get tested by external security experts, we got a very good rating last time so it should be save and still usable for "older" browsers (we also support tls1.1)
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DES:!3DES

pichouk added a commit that referenced this issue Mar 8, 2018
@pichouk
Improve TLS security
0290510 
Closes #242
@pichouk pichouk mentioned this issue Mar 8, 2018
Merged
@pichouk pichouk reopened this Mar 12, 2018
@pichouk pichouk mentioned this issue Mar 16, 2018
Open
@cht47
Copy link
Author

cht47 commented Jul 5, 2018

a little update from my side. I will update my container to 5.0 soon and then test some "casual" security configurations without TLSv1 and then some stronger configurations. Then I test it some weeks (colleagues will be my Guinea pigs) and then you will hear from me again with a proper tested working config.

@minj
Copy link

minj commented Oct 26, 2018

security > interoperability

drop everything but v1.2, let the unfortunate souls misconfigure their servers on their own

@J0WI
Copy link

J0WI commented Feb 1, 2019

TLSv1.3 support has just been added to nginx on Alpine.

@pichouk pichouk self-assigned this Feb 9, 2019
@pichouk
Copy link
Contributor

pichouk commented Feb 9, 2019

We will probably deprecate the web image with #366

@cht47 cht47 closed this as completed Jul 23, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@pichouk pichouk

Labels
Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@minj @cht47 @J0WI @pichouk