Skip to content

Update nginx config to support TLS v1.3 in addition to TLS v1.2#5280

Merged
arm4b merged 2 commits intomasterfrom
update_nginx_config
Jun 11, 2021
Merged

Update nginx config to support TLS v1.3 in addition to TLS v1.2#5280
arm4b merged 2 commits intomasterfrom
update_nginx_config

Conversation

@Kami
Copy link
Member

@Kami Kami commented Jun 3, 2021
edited
Loading

This pull request updates production + sample nginx configs to also support TLS v1.3 in addition to TLS v1.2.

Keep in mind that TLS v1.3 will only be used if the server and client support it. On the server side, this means it will work out of the box on more recent distros where nginx version is >= v1.13 and nginx is compiled against OpenSSL v 1.1.1 which supports TLS v1.3.

Resolves #5216.

Kami added 2 commits June 3, 2021 12:23
@Kami
Update sample and prod nginx configs to also utilize TLS v1.3 (in
1ae4ec2 
addition to TLS v1.2) when nginx is compiled against openssl v1.1.1
which supports TLS v1.3.
@Kami
Add changelog entry.
aa16106 
/# with '#' will be ignored, and an empty message aborts the commit.
@Kami Kami added this to the 3.5.0 milestone Jun 3, 2021
@pull-request-size pull-request-size bot added the size/S PR that changes 10-29 lines. Very easy to review. label Jun 3, 2021
arm4b
arm4b approved these changes Jun 3, 2021
View reviewed changes
Copy link
Member

@arm4b arm4b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot, @Kami 👍
and @cognifloyd, @punkrokk for assistance!

@arm4b
Copy link
Member

arm4b commented Jun 3, 2021

Thinking that this user-affecting change probably worth a small note in the upcoming Release Announcement

@arm4b
Copy link
Member

arm4b commented Jun 3, 2021

Do we also need a small remark in the https://docs.stackstorm.com/upgrade_notes.html ?

punkrokk
punkrokk approved these changes Jun 3, 2021
View reviewed changes
Copy link
Member

@punkrokk punkrokk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Regarding ciphers, anything < 256 should get removed. Not critical as I think browsers these days want the harder ciphers.

@arm4b arm4b merged commit cd3512d into master Jun 11, 2021
@arm4b arm4b deleted the update_nginx_config branch June 11, 2021 19:53
@arm4b arm4b mentioned this pull request Jun 11, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cognifloyd cognifloyd cognifloyd approved these changes

+2 more reviewers

@punkrokk punkrokk punkrokk approved these changes

@arm4b arm4b arm4b approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

nginx security size/S PR that changes 10-29 lines. Very easy to review.

Projects

None yet

Milestone

3.5.0

Development

Successfully merging this pull request may close these issues.

Enable TLS v1.3 support in the default nginx config

4 participants

@Kami @arm4b @punkrokk @cognifloyd