Disable TLSv1.1 by default

5 years ago · f18037ae42
parent f9a67624e1
commit f18037ae42
6 changed files with 15 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,12 @@
+# 2020-01-30
+
+## Disabling TLSv1.1
+
+To improve security, we've removed TLSv1.1 support from our default matrix-nginx-proxy configuration.
+
+If you need to support old clients, you can re-enable it with the following configuration: `matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"`
+
+
 # 2020-01-21

 ## Postgres collation changes (action required!)
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@ -52,7 +52,7 @@ Note that if your nginx version is old, it might not like our default choice of

 ```yaml
 # Custom protocol list (removing `TLSv1.3`) to suit your nginx version.
-matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
+matrix_nginx_proxy_ssl_protocols: "TLSv1.2"
 ```


--- a/examples/apache/matrix-dimension.conf
+++ b/examples/apache/matrix-dimension.conf
@ -26,7 +26,7 @@
 	SSLCertificateKeyFile /matrix/ssl/config/live/dimension.DOMAIN/privkey.pem

 	SSLProxyEngine on
-	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 	ProxyPreserveHost On
--- a/examples/apache/matrix-riot-web.conf
+++ b/examples/apache/matrix-riot-web.conf
@ -26,7 +26,7 @@
 	SSLCertificateKeyFile /matrix/ssl/config/live/riot.DOMAIN/privkey.pem

 	SSLProxyEngine on
-	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 	ProxyPreserveHost On
--- a/examples/apache/matrix-synapse.conf
+++ b/examples/apache/matrix-synapse.conf
@ -26,7 +26,7 @@
 	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem

 	SSLProxyEngine on
-	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 	ProxyPreserveHost On
@ -103,7 +103,7 @@ Listen 8448
 	SSLCertificateKeyFile /matrix/ssl/config/live/matrix.DOMAIN/privkey.pem

 	SSLProxyEngine on
-	SSLProxyProtocol +TLSv1.1 +TLSv1.2 +TLSv1.3
+	SSLProxyProtocol +TLSv1.2 +TLSv1.3
 	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

 	ProxyPreserveHost On
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -160,7 +160,7 @@ matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
 matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"

 # Specifies which SSL protocols to use when serving Riot and Synapse
-matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
+matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"

 # Controls whether the self-check feature should validate SSL certificates.
 matrix_nginx_proxy_self_check_validate_certificates: true