From 1ae4ec2ff24f8563c3df5811384729284baad2d6 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Thu, 3 Jun 2021 12:23:40 +0200 Subject: [PATCH 1/2] Update sample and prod nginx configs to also utilize TLS v1.3 (in addition to TLS v1.2) when nginx is compiled against openssl v1.1.1 which supports TLS v1.3. --- conf/HA/nginx/st2.conf.blueprint.sample | 2 +- conf/HA/nginx/st2.conf.controller.sample | 2 +- conf/nginx/st2.conf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/HA/nginx/st2.conf.blueprint.sample b/conf/HA/nginx/st2.conf.blueprint.sample index 293cdb31f5..91f3cdafd6 100644 --- a/conf/HA/nginx/st2.conf.blueprint.sample +++ b/conf/HA/nginx/st2.conf.blueprint.sample @@ -29,7 +29,7 @@ server { ssl_certificate_key /etc/ssl/st2/st2.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; diff --git a/conf/HA/nginx/st2.conf.controller.sample b/conf/HA/nginx/st2.conf.controller.sample index 3a3063dbf7..b7108f56c8 100644 --- a/conf/HA/nginx/st2.conf.controller.sample +++ b/conf/HA/nginx/st2.conf.controller.sample @@ -34,7 +34,7 @@ server { ssl_certificate_key /etc/ssl/st2/st2.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf index 6d1f4a2155..96394ccce4 100644 --- a/conf/nginx/st2.conf +++ b/conf/nginx/st2.conf @@ -36,7 +36,7 @@ server { ssl_certificate_key /etc/ssl/st2/st2.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; From aa16106e6632cfd8c80ee58a9bb367737a2c7789 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Thu, 3 Jun 2021 12:26:45 +0200 Subject: [PATCH 2/2] Add changelog entry. /# with '#' will be ignored, and an empty message aborts the commit. --- CHANGELOG.rst | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index cdecd36345..929e2b5a9e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -92,8 +92,11 @@ Changed Contributed by @Kami. * Default nginx config (``conf/nginx/st2.conf``) which is used by the installer and Docker - images has been updated to only support TLS v1.2 (support for TLS v1.0 and v1.1 has been - removed). #5183 + images has been updated to only support TLS v1.2 and TLS v1.3 (support for TLS v1.0 and v1.1 + has been removed). + + Keep in mind that TLS v1.3 will only be used when nginx is running on more recent distros + where nginx is compiled against OpenSSL v1.1.1 which supports TLS 1.3. #5183 #5216 Contributed by @Kami and @shital.