Update TLS config #324
Update TLS config #324
Conversation
There was a problem hiding this comment.
1.15.12 is the nginx version that consumes this configuration. Since the work on backoffice/spar is kinda on hold, would you mind double checking whether the ciphers and TLSv1.3 are supported? (I quick research resulted in yes, but you probably have more knowledge around this)
The openssl version installed (1.1.1g-r0) can do TLS1.3. That's at least the version I get when installing now. Not sure what's installed on the docker image ... |
It runs |
|
I don think backoffice serves its own TLS so im not sure if this change does something? isn't it terminated behind |
🤔 You make an excellent point. But I guess one could argue that a) if the image is seen as an atomic and agnostic artifact, it can run anywhere not just on an ingress terminating k8s I guess @franziskuskiefer was just lacking of some context and instead |
The backoffice is not "fronted" by anything, you can see more details on the README
Right, it's not running like that. That being said there's no good reason to have a config where undesirable ciphers/tls versions are used. |
|
yeh but the backoffice currently doesn't use TLS at all; so i dont see why we even have things for it in the config. that was more my point :) |
Fixes https://github.com/zinfra/backend-issues/issues/1628
Note that this also disables TLS versions we don't want and enables TLS 1.3. Le me know when there's a reason why that doesn't work.