~sircmpwn/sr.ht#264: 
sr.ht and all services should support TLS 1.3

Currently the maximum supported seems to be TLS 1.2.

The relevant config for nginx:

ssl_protocols TLSv1.2 TLSv1.3;

Since the certs are provided by Let's Encrypt: if the certificates installation in nginx is managed by certbot, you can edit the file at /etc/letsencrypt/options-ssl-nginx.conf (at least on debian-based distros).

Status
RESOLVED NOT_OUR_BUG
Submitter
~crocmagnon
Assigned to
No-one
Submitted
4 years ago
Updated
4 years ago
Labels
No labels applied.

~sircmpwn REPORTED NOT_OUR_BUG 4 years ago

You should petition nginx for improved defaults.

~crocmagnon 4 years ago

I won't fight tooth and nail about it but configuration files exist for a reason and offering a more recent version of a security protocol doesn't seem like a very difficult change, especially since it's just one config line.

~sircmpwn 4 years ago

You should petition nginx for improved defaults.

~crocmagnon 4 years ago

Well thanks for this very constructive discussion! :)

~sircmpwn 4 years ago

Looks like this is the main blocker:

https://trac.nginx.org/nginx/ticket/195

It doesn't look to hard to write the necessary patch. Good luck!

Register here or Log in to comment, or comment via email.