If we intend to go down this route, then we need to actually ship *two*
snippets - to use Mozilla's TLS guide phrasing, one for 'modern', and one
for 'intermediate'. The number of 'legacy' devices still out there
requires that we not just go for the strongest options by default.
This being
Hello,
No deeper research on my part. I just noticed the mailman3 snippet, and figured
it's probably not a good idea to ship different SSL harderning snippets in
various packages. Maintainers of apache2/nginx are probably in the best
position to determine SSL options that are compatible with
I should point out that "strong" options are typically only for the most
modern grades of interactivity of SSL compatibility. Therefore
Cipherli.st's recommendations are not altogether the most same approach to
this even if it's a non-default config snippet.
Permit me to ask this, but what basis
Source: nginx
Severity: wishlist
nginx could ship with /etc/nginx/snippets/ssl-strong.conf that contains strong
SSL options that can be included easily.
Currently at least mailman3 ships with /etc/mailman3/nginx.conf containing SSL
options. It would be a good idea to provide these in one place
4 matches
Mail list logo
