Hello, No deeper research on my part. I just noticed the mailman3 snippet, and figured it's probably not a good idea to ship different SSL harderning snippets in various packages. Maintainers of apache2/nginx are probably in the best position to determine SSL options that are compatible with Debian, and maintaining their relevancy.
-- Sampo Sorsa ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, December 4, 2018 9:55 PM, Thomas Ward <tew...@dark-net.net> wrote: > I should point out that "strong" options are typically only for the most > modern grades of interactivity of SSL compatibility. Therefore Cipherli.st's > recommendations are not altogether the most same approach to this even if > it's a non-default config snippet. > > Permit me to ask this, but what basis is being used by you to determine > "strong" options here? Purely cipherli.st or other sources of research as > well to support the "strong" definition in this case? > > Thomas > > On Tue, Dec 4, 2018, 01:42 Sampo Sorsa <sorsasa...@protonmail.com wrote: > >> Source: nginx >> Severity: wishlist >> >> nginx could ship with /etc/nginx/snippets/ssl-strong.conf that contains >> strong SSL options that can be included easily. >> >> Currently at least mailman3 ships with /etc/mailman3/nginx.conf containing >> SSL options. It would be a good idea to provide these in one place and just >> include in other packages. >> >> Perhaps consider relevant parts of https://cipherli.st/