[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
02/08: hydra: Drop TLSv1 and enable TLSv1.3.
From: |
Ludovic Courtès |
Subject: |
02/08: hydra: Drop TLSv1 and enable TLSv1.3. |
Date: |
Mon, 6 Jun 2022 06:07:17 -0400 (EDT) |
civodul pushed a commit to branch master
in repository maintenance.
commit 6c969b482e5a60484e0c31cea6ef45314b37151b
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Sat Jun 4 18:12:13 2022 +0200
hydra: Drop TLSv1 and enable TLSv1.3.
* hydra/bayfront.scm (%hpc.guix.info-nginx-servers)
(%guix-hpc.bordeaux.inria.fr-nginx-servers)
(%logs.guix.gnu.org-nginx-servers)
(%coordinator.bayfront.guix.gnu.org-nginx-servers)
(%bayfront.guix.gnu.org-nginx-servers)
(%bordeaux.guix.gnu.org-nginx-servers): Change 'ssl_protocols' nginx
setting to "TLSv1.1 TLSv1.2 TLSv1.3".
* hydra/lakeside.scm (%nginx-server-blocks): Likewise.
* hydra/modules/sysadmin/nginx.scm (%tls-settings): Likewise.
* hydra/nginx/hydra.gnu.org.conf: Likewise.
* hydra/nginx/mirror.conf: Likewise.
---
hydra/bayfront.scm | 12 ++++++------
hydra/lakeside.scm | 2 +-
hydra/modules/sysadmin/nginx.scm | 4 ++--
hydra/nginx/hydra.gnu.org.conf | 2 +-
hydra/nginx/mirror.conf | 2 +-
5 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm
index e0f65ba..d150334 100644
--- a/hydra/bayfront.scm
+++ b/hydra/bayfront.scm
@@ -336,7 +336,7 @@ access_log /var/log/nginx/guix-hpc.access.log;"))
(raw-content
'("
# Make sure SSL is disabled.
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# Disable weak cipher suites.
ssl_ciphers HIGH:!aNULL:!MD5;
@@ -395,7 +395,7 @@ access_log /var/log/nginx/guix-hpc.access.log;"))
(raw-content
'("
# Make sure SSL is disabled.
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# Disable weak cipher suites.
ssl_ciphers HIGH:!aNULL:!MD5;
@@ -441,7 +441,7 @@ access_log /var/log/nginx/logs.access.log;"))
(raw-content
'("
# Make sure SSL is disabled.
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# Disable weak cipher suites.
ssl_ciphers HIGH:!aNULL:!MD5;
@@ -476,7 +476,7 @@ access_log /var/log/nginx/logs.access.log;"))
(raw-content
'("
# Make sure SSL is disabled.
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# Disable weak cipher suites.
ssl_ciphers HIGH:!aNULL:!MD5;
@@ -548,7 +548,7 @@ proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;"))
(raw-content
'("
# Make sure SSL is disabled.
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# Disable weak cipher suites.
ssl_ciphers HIGH:!aNULL:!MD5;
@@ -670,7 +670,7 @@ access_log /var/log/nginx/bordeaux.access.log;"))
(raw-content
'("
# Make sure SSL is disabled.
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# Disable weak cipher suites.
ssl_ciphers HIGH:!aNULL:!MD5;
diff --git a/hydra/lakeside.scm b/hydra/lakeside.scm
index 064eb49..06f785a 100644
--- a/hydra/lakeside.scm
+++ b/hydra/lakeside.scm
@@ -85,7 +85,7 @@
(raw-content
'("
# Make sure SSL is disabled.
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# Disable weak cipher suites.
ssl_ciphers HIGH:!aNULL:!MD5;
diff --git a/hydra/modules/sysadmin/nginx.scm b/hydra/modules/sysadmin/nginx.scm
index da6dfab..c582fac 100644
--- a/hydra/modules/sysadmin/nginx.scm
+++ b/hydra/modules/sysadmin/nginx.scm
@@ -1,5 +1,5 @@
;; Nginx configuration for ci.guix.gnu.org
-;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès
<ludo@gnu.org>
+;; Copyright © 2016-2022 Ludovic Courtès <ludo@gnu.org>
;; Copyright © 2017, 2018, 2019, 2020, 2021 Ricardo Wurmus <rekado@elephly.net>
;; Copyright © 2020 Christopher Baines <mail@cbaines.net>
;; Copyright © 2020, 2021 Florian Pelz <pelzflorian@pelzflorian.de>
@@ -24,7 +24,7 @@
(define %tls-settings
(list
;; Make sure SSL is disabled.
- "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;"
+ "ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;"
;; Disable weak cipher suites.
"ssl_ciphers HIGH:!aNULL:!MD5;"
"ssl_prefer_server_ciphers on;"
diff --git a/hydra/nginx/hydra.gnu.org.conf b/hydra/nginx/hydra.gnu.org.conf
index e7df7f8..0399924 100644
--- a/hydra/nginx/hydra.gnu.org.conf
+++ b/hydra/nginx/hydra.gnu.org.conf
@@ -108,7 +108,7 @@ http {
ssl_certificate_key /etc/letsencrypt/live/hydra.gnu.org/privkey.pem;
# Make sure SSL is disabled.
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# Disable weak cipher suites.
ssl_ciphers HIGH:!aNULL:!MD5;
diff --git a/hydra/nginx/mirror.conf b/hydra/nginx/mirror.conf
index f0e30be..d97d31a 100644
--- a/hydra/nginx/mirror.conf
+++ b/hydra/nginx/mirror.conf
@@ -101,7 +101,7 @@ http {
keepalive_timeout 70;
# Make sure SSL is disabled.
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# Disable weak cipher suites.
ssl_ciphers HIGH:!aNULL:!MD5;
- branch master updated (a020651 -> 437e42c), Ludovic Courtès, 2022/06/06
- 03/08: hydra: bayfront: Add 'Strict-Transport-Security' for hpc.guix.info., Ludovic Courtès, 2022/06/06
- 02/08: hydra: Drop TLSv1 and enable TLSv1.3.,
Ludovic Courtès <=
- 06/08: hydra: bayfront: Factorize common TLS options., Ludovic Courtès, 2022/06/06
- 05/08: hydra: bayfront: Update fallback URL for hpc.guix.info/browse., Ludovic Courtès, 2022/06/06
- 08/08: hydra: bayfront: Serve the 10years.guix.gnu.org web site., Ludovic Courtès, 2022/06/06
- 04/08: hydra: bayfront: Limit embedding of hpc.guix.info in frames., Ludovic Courtès, 2022/06/06
- 01/08: hydra: web: Make mcron job derivations deterministic., Ludovic Courtès, 2022/06/06
- 07/08: hydra: dns: Add entry for '10years'., Ludovic Courtès, 2022/06/06