[Suggestion] Remove deprecated TLS 1.0 and 1.1 by default
Published a year ago
Published a year ago
Nallorion
Updated a year ago
0
What would you like to be added or improved?
Remove deprecated TLS 1.0 and 1.1 by default.
Why is it needed?
Defaulting to deprecated TLS protocols and requiring payment for basic NGINX config changes is contradictory to applications core functions and mission.
maosite
Updated a year ago
0
We need to confirm whether the default setting of TLS v1.0 will affect the compatibility of some clients.
SeanChengN
Updated a year ago
0
建议在个人版中也能修改这项配置,默认启用1.0和1.1与安全最佳实践相悖,反而更不安全了
Michal-Koeckeis-Fresel
Updated a year ago
0
Only enable TLSv1.2 and TLSv1.3 as default.
If customers need older versions they should opt in for these protocols.
The WAF should be secure by default and not running old protocols in the default configuration
sagehou
Updated a year ago
0
建议默认仅启用 TLSv1.2 和 TLSv1.3,有特殊需求的再专业版修改比较合理。
Michal-Koeckeis-Fresel
Updated a year ago
0
This is a default installation of SafeLine on one of my test servers
https://www.ssllabs.com/ssltest/analyze.html?d=safeline-default.koeckeis-fresel.net&hideResults=on
This server supports TLS 1.0 and TLS 1.1. Grade capped to B.
SafeLine should be secure by default - not only in the pro version but out of the box for every installation.
An admin who wants to quickly test it will see a grade B on ssl labs and will think that it is not secure by default and look for another product.
The default installation should only use perfect forward secrecy PFS ciphers
TLSv1.3:
TLS_AES_128_GCM_SHA256 (0x1301) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_AES_256_GCM_SHA384 (0x1302) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_CHACHA20_POLY1305_SHA256 (0x1303) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLSv1.2
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp521r1 (eq. 15360 bits RSA) FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp521r1 (eq. 15360 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH secp521r1 (eq. 15360 bits RSA) FS 256
siment
Updated a year ago
0
This really needs to be addressed if you want a broad adoption of your product
Wil
Updated 9 months ago
Agree that a security product should be secure by default.
Carrie-SafeLine
Updated 7 months ago
0
The latest version 9.2.7 released on Oct.28 has resolved this issue! SSL Protocol configuration is now available in the free Personal Edition.
Changelog:
English: https://docs.waf.chaitin.com/en/Reference/Changelog
Chinese: https://rivers.chaitin.cn/discussion/d402suj1s5rqo4fc1ong#%E6%9B%B4%E6%96%B0%E6%96%B9%E5%BC%8F