reworked cipher suites and re-enabled TLS v1.2

TLS v1.2 re-enabled because the default curl implementation on Windows uses Schannel SSP for TLS and Schannel for Windows 10 does not support TLS v1.3
datasharingframework · Oct 31, 2023 · 61674af · 61674af
1 parent c69fdb4
commit 61674af
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/dsf-docker-test-setup-3dic-ttp/proxy/nginx.conf b/dsf-docker-test-setup-3dic-ttp/proxy/nginx.conf
@@ -30,8 +30,9 @@ http {
 
     ssl_certificate /run/secrets/proxy_certificate_and_int_cas.pem;
     ssl_certificate_key /run/secrets/proxy_certificate_private_key.pem;
-    ssl_protocols TLSv1.3;
-    ssl_prefer_server_ciphers off;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+    ssl_prefer_server_ciphers on;
     add_header Strict-Transport-Security "max-age=63072000" always;
 
     ssl_client_certificate /run/secrets/proxy_trusted_client_cas.pem;	

diff --git a/dsf-docker/fhir_proxy/conf/extra/httpd-ssl.conf b/dsf-docker/fhir_proxy/conf/extra/httpd-ssl.conf
@@ -65,7 +65,9 @@ Listen 443
 #SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
 #SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
 SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+SSLCipherSuite SSL ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
 SSLProxyCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+SSLProxyCipherSuite SSL ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
 
 #   User agents such as web browsers are not configured for the user's
 #   own preference of either security or performance, therefore this
@@ -80,8 +82,8 @@ SSLHonorCipherOrder on
 #   protocol or later should remain in use.
 #SSLProtocol all -SSLv3 -TLSv1
 #SSLProxyProtocol all -SSLv3 -TLSv1
-SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
-SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2	
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1	
 
 #   Pass Phrase Dialog:
 #   Configure the pass phrase gathering process.