guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/08: hydra: Drop TLSv1 and enable TLSv1.3.

From: Ludovic Courtès
Subject: 02/08: hydra: Drop TLSv1 and enable TLSv1.3.
Date: Mon, 6 Jun 2022 06:07:17 -0400 (EDT) 
civodul pushed a commit to branch master
in repository maintenance.

commit 6c969b482e5a60484e0c31cea6ef45314b37151b
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Sat Jun 4 18:12:13 2022 +0200

    hydra: Drop TLSv1 and enable TLSv1.3.
    
    * hydra/bayfront.scm (%hpc.guix.info-nginx-servers)
    (%guix-hpc.bordeaux.inria.fr-nginx-servers)
    (%logs.guix.gnu.org-nginx-servers)
    (%coordinator.bayfront.guix.gnu.org-nginx-servers)
    (%bayfront.guix.gnu.org-nginx-servers)
    (%bordeaux.guix.gnu.org-nginx-servers): Change 'ssl_protocols' nginx
    setting to "TLSv1.1 TLSv1.2 TLSv1.3".
    * hydra/lakeside.scm (%nginx-server-blocks): Likewise.
    * hydra/modules/sysadmin/nginx.scm (%tls-settings): Likewise.
    * hydra/nginx/hydra.gnu.org.conf: Likewise.
    * hydra/nginx/mirror.conf: Likewise.
---
 hydra/bayfront.scm               | 12 ++++++------
 hydra/lakeside.scm               |  2 +-
 hydra/modules/sysadmin/nginx.scm |  4 ++--
 hydra/nginx/hydra.gnu.org.conf   |  2 +-
 hydra/nginx/mirror.conf          |  2 +-
 5 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm
index e0f65ba..d150334 100644
--- a/hydra/bayfront.scm
+++ b/hydra/bayfront.scm
@@ -336,7 +336,7 @@ access_log   /var/log/nginx/guix-hpc.access.log;"))
       (raw-content
        '("
 # Make sure SSL is disabled.
-ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
 
 # Disable weak cipher suites.
 ssl_ciphers         HIGH:!aNULL:!MD5;
@@ -395,7 +395,7 @@ access_log   /var/log/nginx/guix-hpc.access.log;"))
       (raw-content
        '("
 # Make sure SSL is disabled.
-ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
 
 # Disable weak cipher suites.
 ssl_ciphers         HIGH:!aNULL:!MD5;
@@ -441,7 +441,7 @@ access_log   /var/log/nginx/logs.access.log;"))
       (raw-content
        '("
 # Make sure SSL is disabled.
-ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
 
 # Disable weak cipher suites.
 ssl_ciphers         HIGH:!aNULL:!MD5;
@@ -476,7 +476,7 @@ access_log   /var/log/nginx/logs.access.log;"))
     (raw-content
      '("
 # Make sure SSL is disabled.
-ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
 
 # Disable weak cipher suites.
 ssl_ciphers         HIGH:!aNULL:!MD5;
@@ -548,7 +548,7 @@ proxy_set_header X-Forwarded-For  
$proxy_add_x_forwarded_for;"))
       (raw-content
        '("
 # Make sure SSL is disabled.
-ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
 
 # Disable weak cipher suites.
 ssl_ciphers         HIGH:!aNULL:!MD5;
@@ -670,7 +670,7 @@ access_log  /var/log/nginx/bordeaux.access.log;"))
       (raw-content
        '("
 # Make sure SSL is disabled.
-ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
 
 # Disable weak cipher suites.
 ssl_ciphers         HIGH:!aNULL:!MD5;
diff --git a/hydra/lakeside.scm b/hydra/lakeside.scm
index 064eb49..06f785a 100644
--- a/hydra/lakeside.scm
+++ b/hydra/lakeside.scm
@@ -85,7 +85,7 @@
       (raw-content
        '("
 # Make sure SSL is disabled.
-ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
 
 # Disable weak cipher suites.
 ssl_ciphers         HIGH:!aNULL:!MD5;
diff --git a/hydra/modules/sysadmin/nginx.scm b/hydra/modules/sysadmin/nginx.scm
index da6dfab..c582fac 100644
--- a/hydra/modules/sysadmin/nginx.scm
+++ b/hydra/modules/sysadmin/nginx.scm
@@ -1,5 +1,5 @@
 ;; Nginx configuration for ci.guix.gnu.org
-;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès 
<ludo@gnu.org>
+;; Copyright © 2016-2022 Ludovic Courtès <ludo@gnu.org>
 ;; Copyright © 2017, 2018, 2019, 2020, 2021 Ricardo Wurmus <rekado@elephly.net>
 ;; Copyright © 2020 Christopher Baines <mail@cbaines.net>
 ;; Copyright © 2020, 2021 Florian Pelz <pelzflorian@pelzflorian.de>
@@ -24,7 +24,7 @@
 (define %tls-settings
   (list
    ;; Make sure SSL is disabled.
-   "ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;"
+   "ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;"
    ;; Disable weak cipher suites.
    "ssl_ciphers         HIGH:!aNULL:!MD5;"
    "ssl_prefer_server_ciphers on;"
diff --git a/hydra/nginx/hydra.gnu.org.conf b/hydra/nginx/hydra.gnu.org.conf
index e7df7f8..0399924 100644
--- a/hydra/nginx/hydra.gnu.org.conf
+++ b/hydra/nginx/hydra.gnu.org.conf
@@ -108,7 +108,7 @@ http {
        ssl_certificate_key /etc/letsencrypt/live/hydra.gnu.org/privkey.pem;
 
        # Make sure SSL is disabled.
-       ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+       ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
 
        # Disable weak cipher suites.
        ssl_ciphers         HIGH:!aNULL:!MD5;
diff --git a/hydra/nginx/mirror.conf b/hydra/nginx/mirror.conf
index f0e30be..d97d31a 100644
--- a/hydra/nginx/mirror.conf
+++ b/hydra/nginx/mirror.conf
@@ -101,7 +101,7 @@ http {
        keepalive_timeout   70;
 
        # Make sure SSL is disabled.
-       ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+       ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
 
        # Disable weak cipher suites.
        ssl_ciphers         HIGH:!aNULL:!MD5;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]