From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id wJzyCo11DWDYIAAA0tVLHw (envelope-from ) for ; Sun, 24 Jan 2021 13:26:37 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 6OGxBo11DWD7CwAA1q6Kng (envelope-from ) for ; Sun, 24 Jan 2021 13:26:37 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DC15E9404D5 for ; Sun, 24 Jan 2021 13:26:36 +0000 (UTC) Received: from localhost ([::1]:55244 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l3fPX-0003Oi-S9 for larch@yhetil.org; Sun, 24 Jan 2021 08:26:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39152) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l3fP0-0003NE-DY for guix-patches@gnu.org; Sun, 24 Jan 2021 08:26:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:52758) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1l3fP0-0004ZA-5V for guix-patches@gnu.org; Sun, 24 Jan 2021 08:26:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1l3fP0-00060V-0d for guix-patches@gnu.org; Sun, 24 Jan 2021 08:26:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#46049] [PATCH] services: nginx: Add ssl-protocols option. Resent-From: Jonathan Brielmaier Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 24 Jan 2021 13:26:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46049 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Tobias Geerinckx-Rice X-Debbugs-Original-Cc: 46049@debbugs.gnu.org, guix-patches@gnu.org Received: via spool by 46049-submit@debbugs.gnu.org id=B46049.161149474423046 (code B ref 46049); Sun, 24 Jan 2021 13:26:01 +0000 Received: (at 46049) by debbugs.gnu.org; 24 Jan 2021 13:25:44 +0000 Received: from localhost ([127.0.0.1]:36067 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l3fOh-0005ze-R8 for submit@debbugs.gnu.org; Sun, 24 Jan 2021 08:25:44 -0500 Received: from mout.web.de ([212.227.17.12]:52665) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l3fOg-0005zR-83 for 46049@debbugs.gnu.org; Sun, 24 Jan 2021 08:25:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1611494734; bh=EjH4pOVTboWzdVjQOfzhUniXUv7N3lOqXM5qOKNPuas=; h=X-UI-Sender-Class:To:Cc:References:From:Subject:Date:In-Reply-To; b=HWrGnMmgIiXtH+Po8X+Xp4XMgV7eymC8xQ7z2CZxOO2El1NG4ZmlDWoxCZ8w7EnnI fdu758s4GNo1l+PrRktxPGsDI3HUKmlxXeJvq/1GLkgvzh+4gQW5MA2EtdlUsDy8LX GTnml9yKjpgMWQA0Hmljfff+lq8y7NJSV1nii2kA= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from [192.168.178.88] ([5.146.192.196]) by smtp.web.de (mrweb106 [213.165.67.124]) with ESMTPSA (Nemesis) id 1Mf3uS-1lfkIx3o7u-00gZ7X; Sun, 24 Jan 2021 14:25:33 +0100 References: <20210123100049.22389-1-jonathan.brielmaier@web.de> <5d511a10-e589-7de9-35ed-8294298dee7a@web.de> <874kj7qfo5.fsf@nckx> From: Jonathan Brielmaier Message-ID: <01fc7a42-eba3-aaf6-783c-778cddf69b51@web.de> Date: Sun, 24 Jan 2021 14:25:32 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.6.1 MIME-Version: 1.0 In-Reply-To: <874kj7qfo5.fsf@nckx> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:vdeqxcWWT9ZebXfNpzpVFlDSJzZgYGH1UBRgYqJdfSkTnxXJ4cu uEw60iHuVpeH4iXDUgmE57JVCMD9Urz0q98Yx6g+FgIgI+78Wb2jZvlXk2JgYeh43/jhABR 0GXCcNI7uMhH9v1ZewQbOcY8ZGrISGyZ7Pj2gpShiYJl2YsQMtWHBhfgjEo12trB8EHDy91 T7Iax1lFU6vZQBMk7OtOw== X-UI-Out-Filterresults: notjunk:1;V03:K0:m0g7OQrDyww=:eENdufuWUgL75u5epgUDTV Q827fYFSGCyNaGlb8QixfVujXZiPUfzhmbVDtPZscSJnsaQS6GRL27Y1aGeSVtlug6l3EMrwh 2uGy3GZrLufTXgJQnF9g/nY4/l1Z2RbHy4hYosoh3ethEGP1oeA4ZLIREgxmg9J3niBCux/13 ghlmB0Lqbzxog0ppI1h3Gg5bbQDlr3O+w+EP01O0JxJZkcTHQSaR6FNhUp/jdJKVpnzwU8Bpo 0sCX5jjhnZqpvzH1CZ1KoDFk7nZC+NfG9HE+G3JvO0mktJIqa5io5arIslWLlyN62ZQAFWmtP 4jEd+rOeOJjI99Qjy4IrUXoeDui4oZrSs+uZEHySOrRoj/IS6gR8e/fe/A5/6rolUUTXphDvO FKhM16Tzst3wzlUy2nL7eGBWWOIKGP+6EUETI5KHU7Yp+FXhn0BupnMHnzz9kMRnp4h0NQ31V wJc1zaF/MpPcr9l0ig74KXEdkB7J3yiqeHSjA7Ny5zkBoCYr2rpcGxz0huneefcBcU5ww9EGV geM6jZryihp8+zNwNo+g0XoZuLIx8TSFpUGPSG0yQGiFuIdf9K8MSKFZDa8nEasvJBkn9Ow1h ZIOgsGrlaOzaVGPdJqEXxnifqr7V+sNNrObOoNT0/20uKmEOG3de8U0/8tFVtW2l3/OvqKJnG O2FOdHoRPLjRrXrAwk4lo/XjBzuOPml9xqx87hHKHgK6gYC+873gFIdqVSVHqzI5d8yrgKzZb aSoT+CMDsFC94ABxbf7zDvIoE0DBLN4cEph9whuTCEDFKA+evBZuVlhJUM19BmVQ9GE/vjIzK Nt2cQqrp0wjmwsY3PpCTRG3eB6CZ/Un9Dy+86hlvAzVJKyK14HyS33MfUYVigN2gbkrpnlshN senNwvF+ELi5QdKiKbZDuox6ic6w/ufs1o3prqMSg= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 46049@debbugs.gnu.org Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -1.25 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=web.de header.s=dbaedf251592 header.b=HWrGnMmg; dmarc=fail reason="SPF not aligned (relaxed)" header.from=web.de (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: DC15E9404D5 X-Spam-Score: -1.25 X-Migadu-Scanner: scn1.migadu.com X-TUID: RE0MDzO8N7f7 On 24.01.21 02:36, Tobias Geerinckx-Rice wrote: > Jonathan Brielmaier =E5=86=99=E9=81=93=EF=BC=9A >> The default settings is accordingly to Mozillas "Intermediate" >> configuration for nginx: https://ssl-config.mozilla.org > > Oh, I see!=C2=A0 Hiding subjective tweaks to upstream defaults in Guix > services is a bad idea. > > Imagine debugging this at 2 a.m., staring at the official nginx > documentation through your tears. I see your point, but I usually start with the Guix service documentation and it clearly would state "TLSv1.2 TLSv1.3". If your client doesn't support TLSv1.2 (thats 12 years old), it's maybe a better idea to fallback to HTTP... I think in general its a good idea to follow upstreams default, but it should not hinder us to make more secure defaults >> I would also like to implement an option with good defaults for >> `ssl_ciphers` if you have ideas how to do that in a nice way speak up := ) > > How about writing =E2=80=98mozilla-recommended=E2=80=99 nginx configurat= ion presets that > users can inherit from?=C2=A0 This would imply keeping them up to date, > including the specific versions of nginx and *ssl in Guix. Hm, I try to keep stuff simple and to be honest all those service "matroska" stuff grows over my head. If theres an error I can not debug them at 2am or at any other time... A compromise would maybe something like : (ssl-protocols %upstream-default OR %mozilla-default OR "Your custom string")