From 4db19ba4533798689085e1350daf4960adaaebe9 Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Thu, 14 Sep 2017 14:42:33 +0200 Subject: [PATCH 1/3] strict cipher suite definitions --- conf/passbolt.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/passbolt.conf b/conf/passbolt.conf index d51883d..bd13d67 100644 --- a/conf/passbolt.conf +++ b/conf/passbolt.conf @@ -55,7 +55,7 @@ server { ssl_certificate_key /etc/ssl/certs/certificate.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; - ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_session_tickets off; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options DENY; From 9674afb4d5b7057ac52cd490010cec5da73d8921 Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Thu, 14 Sep 2017 14:44:18 +0200 Subject: [PATCH 2/3] removed support for TLSv1 and TLSv1.1. Fixes #66 --- conf/passbolt.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/passbolt.conf b/conf/passbolt.conf index bd13d67..9252cdf 100644 --- a/conf/passbolt.conf +++ b/conf/passbolt.conf @@ -53,7 +53,7 @@ server { ssl on; ssl_certificate /etc/ssl/certs/certificate.crt; ssl_certificate_key /etc/ssl/certs/certificate.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_session_tickets off; From 18e05a5eeecffa5c4cd59ca5c94ec6d454403963 Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Thu, 14 Sep 2017 15:03:11 +0200 Subject: [PATCH 3/3] removed duplicate --- conf/passbolt.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/conf/passbolt.conf b/conf/passbolt.conf index 9252cdf..c48a17a 100644 --- a/conf/passbolt.conf +++ b/conf/passbolt.conf @@ -72,9 +72,6 @@ server { # This header enables the Cross-site scripting (XSS) filter add_header X-XSS-Protection "1; mode=block"; - # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; - location / { try_files $uri $uri/ /index.php?$args; index index.php;