Is it possible to enable TLS 1.3 on Discourse? How is the local Nginx configured?
We disabled TLS 1.0 and 1.1 in mid 2018 per this topic.
Do we have TLS 1.3 support at least enabled somewhere @mpalmer?
2 个赞
No, I don’t think we’ve turned on TLS 1.3 anywhere yet.
3 个赞
We run NGINX 1.5 at the moment in the containers:
Per:
We only enable TLSv1.2
I am mixed on enabling TLSv1.3 until Information on RFC 8446 » RFC Editor is ratified though.
For the time being simply adding another template after the ssl template with:
- replace:
hook: ssl
filename: "/etc/nginx/conf.d/discourse.conf"
from: ssl_protocols TLSv1.2;
to: |
ssl_protocols TLSv1.2 TLSv1.3;
Would do the trick, the question though is if this is a trick you want to do given the protocol is still not ratified (even though it is being implemented)
5 个赞
我想你们可能已经知道了,但仅更改 ssl_protocols 是无效的,因为底层的 Nginx 和 OpenSSL 版本必须支持该功能,而目前 Docker 基础镜像中并不支持。
我们刚刚发布了支持 TLS 1.3 的新基础镜像 
。
8 个赞
当我在容器内查看 nginx 配置文件时,它具有以下设置:
SSL 设置
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # 弃用 SSLv3,参考:POODLE
由于 BEAST 攻击,TLSv1 和 TLSv1.1 的引用是否应该被删除?
两个不同的网站检查器告诉我 TLSv1 和 TLSv1.1 未启用,不确定它们是从哪里禁用的。
这在这里定义