You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As per grommunio/gromox#90 (comment), “cipher lists for every individual daemon does not scale very well for an administrator”, however the grommunio-provided NGINX configuration in /usr/share/grommunio-common/nginx/ssl_params.conf has actually an individual configuration of TLS protocols and ciphers. This overrides what crypto-policies configure and the grommunio-provided NGINX-configuration is not in-line with common Mozilla recommendations, which are suited for performance, security and compatibility. Actually, grommunio even re-enables TLSv1.0 and TLSv1.1, which are deprecated as per RFC 8996, with the shipped configuration.
With the reason provided in grommunio/gromox#90 (comment), I suggest to remove the current grommunio-provided NGINX individual configuration in /usr/share/grommunio-common/nginx/ssl_params.conf related to TLS protocols and ciphers, but to only use what crypto-policies provide. This would also provide a really consistent experience to administrators across all components involved in a grommunio setup.
Oh, and adapting /usr/share/grommunio-common/nginx/ssl_params.conf yourself to get what crypto-policies are meant for does currently not work, because grommunio delivers this individual configuration in a configuration file not suited for editing, because any modification will be overriden during the next update of the "grommunio-common" RPM package (which kind of makes sense for itself, because it's /usr/share rather than /etc). Practically, trying to re-declare e.g. ssl_ciphers with PROFILE=SYSTEM in a later NGINX configuration file also fails, because NGINX doesn't support this, unfortunately:
$ nginx -t
nginx: [emerg] "ssl_ciphers" directive is duplicate in /etc/nginx/conf.d/grommunio_custom-crypto-policies.conf.include:1
nginx: configuration file /etc/nginx/nginx.conf test failed
$
The text was updated successfully, but these errors were encountered:
As per grommunio/gromox#90 (comment), “cipher lists for every individual daemon does not scale very well for an administrator”, however the grommunio-provided NGINX configuration in
/usr/share/grommunio-common/nginx/ssl_params.confhas actually an individual configuration of TLS protocols and ciphers. This overrides what crypto-policies configure and the grommunio-provided NGINX-configuration is not in-line with common Mozilla recommendations, which are suited for performance, security and compatibility. Actually, grommunio even re-enables TLSv1.0 and TLSv1.1, which are deprecated as per RFC 8996, with the shipped configuration.With the reason provided in grommunio/gromox#90 (comment), I suggest to remove the current grommunio-provided NGINX individual configuration in
/usr/share/grommunio-common/nginx/ssl_params.confrelated to TLS protocols and ciphers, but to only use what crypto-policies provide. This would also provide a really consistent experience to administrators across all components involved in a grommunio setup.Oh, and adapting
/usr/share/grommunio-common/nginx/ssl_params.confyourself to get what crypto-policies are meant for does currently not work, because grommunio delivers this individual configuration in a configuration file not suited for editing, because any modification will be overriden during the next update of the "grommunio-common" RPM package (which kind of makes sense for itself, because it's/usr/sharerather than/etc). Practically, trying to re-declare e.g.ssl_cipherswithPROFILE=SYSTEMin a later NGINX configuration file also fails, because NGINX doesn't support this, unfortunately:The text was updated successfully, but these errors were encountered: