From 5c111d0bd1206d864d7cb93754e101f6073bc669 Mon Sep 17 00:00:00 2001 From: amplifi Date: Fri, 13 May 2022 13:59:49 -0400 Subject: [PATCH] Cite Mozilla ssl-config in Apache/NGINX TLS configs (#8670) (#9295) * Cite Mozilla ssl-config in Apache/nginx TLS configs (certbot#8670) * Update CHANGELOG * Add TLS config hashes to ALL_SSL_OPTIONS_HASHES * Update wording in CHANGELOG --- AUTHORS.md | 1 + certbot-apache/certbot_apache/_internal/constants.py | 2 ++ .../_internal/tls_configs/current-options-ssl-apache.conf | 2 +- .../_internal/tls_configs/old-options-ssl-apache.conf | 2 +- certbot-nginx/certbot_nginx/_internal/constants.py | 4 ++++ .../_internal/tls_configs/options-ssl-nginx-old.conf | 2 +- .../_internal/tls_configs/options-ssl-nginx-tls12-only.conf | 2 +- .../tls_configs/options-ssl-nginx-tls13-session-tix-on.conf | 2 +- .../_internal/tls_configs/options-ssl-nginx.conf | 2 +- certbot/CHANGELOG.md | 2 +- 10 files changed, 14 insertions(+), 7 deletions(-) diff --git a/AUTHORS.md b/AUTHORS.md index 44bbe02ab..9629b1135 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -18,6 +18,7 @@ Authors * [Alex Jordan](https://github.com/strugee) * [Alex Zorin](https://github.com/alexzorin) * [Amjad Mashaal](https://github.com/TheNavigat) +* [amplifi](https://github.com/amplifi) * [Andrew Murray](https://github.com/radarhere) * [Andrzej Górski](https://github.com/andrzej3393) * [Anselm Levskaya](https://github.com/levskaya) diff --git a/certbot-apache/certbot_apache/_internal/constants.py b/certbot-apache/certbot_apache/_internal/constants.py index 208f4e24e..4e6fa1791 100644 --- a/certbot-apache/certbot_apache/_internal/constants.py +++ b/certbot-apache/certbot_apache/_internal/constants.py @@ -32,6 +32,8 @@ ALL_SSL_OPTIONS_HASHES: List[str] = [ '5cc003edd93fb9cd03d40c7686495f8f058f485f75b5e764b789245a386e6daf', '007cd497a56a3bb8b6a2c1aeb4997789e7e38992f74e44cc5d13a625a738ac73', '34783b9e2210f5c4a23bced2dfd7ec289834716673354ed7c7abf69fe30192a3', + '61466bc2f98a623c02be8a5ee916ead1655b0ce883bdc936692076ea499ff5ce', + '3fd812e3e87fe5c645d3682a511b2a06c8286f19594f28e280f17cd6af1301b5', ] """SHA256 hashes of the contents of previous versions of all versions of MOD_SSL_CONF_SRC""" diff --git a/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf b/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf index 32a2c3335..cb7583151 100644 --- a/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf +++ b/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf @@ -2,7 +2,7 @@ # manually, Certbot will be unable to automatically provide future security # updates. Instead, Certbot will print and log an error message with a path to # the up-to-date file that you will need to refer to when manually updating -# this file. +# this file. Contents are based on https://ssl-config.mozilla.org SSLEngine on diff --git a/certbot-apache/certbot_apache/_internal/tls_configs/old-options-ssl-apache.conf b/certbot-apache/certbot_apache/_internal/tls_configs/old-options-ssl-apache.conf index 1a3799628..0dbae7108 100644 --- a/certbot-apache/certbot_apache/_internal/tls_configs/old-options-ssl-apache.conf +++ b/certbot-apache/certbot_apache/_internal/tls_configs/old-options-ssl-apache.conf @@ -2,7 +2,7 @@ # manually, Certbot will be unable to automatically provide future security # updates. Instead, Certbot will print and log an error message with a path to # the up-to-date file that you will need to refer to when manually updating -# this file. +# this file. Contents are based on https://ssl-config.mozilla.org SSLEngine on diff --git a/certbot-nginx/certbot_nginx/_internal/constants.py b/certbot-nginx/certbot_nginx/_internal/constants.py index 295679e2c..101fe5f4c 100644 --- a/certbot-nginx/certbot_nginx/_internal/constants.py +++ b/certbot-nginx/certbot_nginx/_internal/constants.py @@ -49,6 +49,10 @@ ALL_SSL_OPTIONS_HASHES = [ 'af85f6193808a44789a1d293e6cffa249cad9a21135940800958b8e3c72dbc69', 'a2a612fd21b02abaa32d9d11ac63d987d6e3054dbfa356de5800eea0d7ce17f3', '2d9648302e3588a172c318e46bff88ade46fc7a16d6afc85322776a04800d473', + '5e21cc66989f26ec46116d979421e538131cf8ab33ffff3f682fbfe491b0ace8', + 'f5615544105c4eee44f02a604e3e9ae55b3d5bad247160bb18731a0ac531af02', + '05a799c4db12f8e15e68219c98056824cbd5ae7b05863225318ae112f343880b', + 'dc81acfd9670f137d5abbccfe3438d9306d4b6a906439b0fbf6a6756272e7cc7', ] """SHA256 hashes of the contents of all versions of MOD_SSL_CONF_SRC""" diff --git a/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-old.conf b/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-old.conf index a678b0507..48957f64a 100644 --- a/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-old.conf +++ b/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-old.conf @@ -2,7 +2,7 @@ # manually, Certbot will be unable to automatically provide future security # updates. Instead, Certbot will print and log an error message with a path to # the up-to-date file that you will need to refer to when manually updating -# this file. +# this file. Contents are based on https://ssl-config.mozilla.org ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; diff --git a/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls12-only.conf b/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls12-only.conf index 1933cbc4f..00ef6f3f5 100644 --- a/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls12-only.conf +++ b/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls12-only.conf @@ -2,7 +2,7 @@ # manually, Certbot will be unable to automatically provide future security # updates. Instead, Certbot will print and log an error message with a path to # the up-to-date file that you will need to refer to when manually updating -# this file. +# this file. Contents are based on https://ssl-config.mozilla.org ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; diff --git a/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls13-session-tix-on.conf b/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls13-session-tix-on.conf index 52fdfde24..917fef496 100644 --- a/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls13-session-tix-on.conf +++ b/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls13-session-tix-on.conf @@ -2,7 +2,7 @@ # manually, Certbot will be unable to automatically provide future security # updates. Instead, Certbot will print and log an error message with a path to # the up-to-date file that you will need to refer to when manually updating -# this file. +# this file. Contents are based on https://ssl-config.mozilla.org ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; diff --git a/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf b/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf index 978e6e8ab..f2aadba3d 100644 --- a/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf +++ b/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf @@ -2,7 +2,7 @@ # manually, Certbot will be unable to automatically provide future security # updates. Instead, Certbot will print and log an error message with a path to # the up-to-date file that you will need to refer to when manually updating -# this file. +# this file. Contents are based on https://ssl-config.mozilla.org ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md index ba45d46e4..f347cc689 100644 --- a/certbot/CHANGELOG.md +++ b/certbot/CHANGELOG.md @@ -6,7 +6,7 @@ Certbot adheres to [Semantic Versioning](https://semver.org/). ### Added -* +* Updated Apache/NGINX TLS configs to document contents are based on ssl-config.mozilla.org ### Changed