In light of our goals to promote and enable better security practices,
I've spend some time looking into `nginx-mainline` and improving the
supported and enabled SSL protocols.
Currently, by default, TLSv1 and TLSv1.1 are enabled by default. TLSv1.3
isn't properly enabled. This results in a `B` rating on SSL Labs for a
Thus, I will be changing the default protocols to support TLSv1.2 and
TLSv1.3 only. This should result in an `A` rating for the default setup.
If you are running with the standard configs, no action should be needed
once this change lands.
If you do have a need to support (5+ year old) clients that need the
older protocols, you can enable them in nginx-mainling.conf with the
At some point in the future I will likely also disable 128bit ciphers by
default for the same reasons.
These changes are not applied to `nginx`. I am slowly deprecating
`nginx` in favor of `nginx-mainline` going forward. At some point we
will likely obsolete and remove `nginx` entirely.
Show replies by date