Hardening nginx configuration, drop TLSv1.1 support

ScIT-Raphael · ScIT-Raphael · commit a031b557106f · 2020-01-30T09:41:29.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -65,6 +65,7 @@ All notable changes to this project will be documented in this file.
 - Fixed lograte bug and cleans up the messed up nginx/apache2 log permissions.
 - Fixed IfModule mpm_itk.c for apache2 templates.
 - Added mpm_itk for Deb10 single php installation only.
+- Hardening nginx configuration, drop TLSv1.1 support.
 
 ## [1.0.6] - 2019-09-24 - Hotfix
 ### Bugfixes
diff --git a/install/deb/nginx/nginx.conf b/install/deb/nginx/nginx.conf
@@ -106,7 +106,7 @@ http {
     ssl_session_cache   shared:SSL:20m;
     ssl_session_timeout 60m;
     ssl_buffer_size     1400;
-    ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_protocols       TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
     ssl_dhparam         /etc/ssl/dhparam.pem;
diff --git a/install/upgrade/versions/latest.sh b/install/upgrade/versions/latest.sh
@@ -151,6 +151,15 @@ if [ -e "/etc/mysql/my.cnf" ]; then
     fi
 fi
 
+# Hardening nginx configuration, drop TLSv1.1 support.
+if [ -e "/etc/nginx/nginx.conf" ]; then
+    nginx_tls_check=$(grep TLSv1.1 /etc/nginx/nginx.conf)
+    if [ ! -z "$nginx_tls_check" ]; then
+        echo "(*) Hardening nginx configuration, drop TLSv1.1 support..."
+        sed -i 's/TLSv1.1 //g' /etc/nginx/nginx.conf
+    fi
+fi
+
 # Fix logrotate permission bug for nginx
 if [ -e "/etc/logrotate/nginx" ]; then
     sed -i "s/create 640 nginx adm/create 640/g" /etc/logrotate.d/nginx
