From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id lFx+GCf0C2D4cgAA0tVLHw (envelope-from ) for ; Sat, 23 Jan 2021 10:02:15 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id WM/nEyf0C2CGNwAAB5/wlQ (envelope-from ) for ; Sat, 23 Jan 2021 10:02:15 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CCD1A9402C8 for ; Sat, 23 Jan 2021 10:02:14 +0000 (UTC) Received: from localhost ([::1]:56322 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l3FkD-0000JS-QH for larch@yhetil.org; Sat, 23 Jan 2021 05:02:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:45130) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l3Fk2-0000Iy-Oc for guix-patches@gnu.org; Sat, 23 Jan 2021 05:02:06 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:50374) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1l3Fk2-0001kk-GT for guix-patches@gnu.org; Sat, 23 Jan 2021 05:02:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1l3Fk2-0003HF-DK for guix-patches@gnu.org; Sat, 23 Jan 2021 05:02:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#46049] [PATCH] services: nginx: Add ssl-protocols option. Resent-From: Jonathan Brielmaier Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 23 Jan 2021 10:02:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 46049 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 46049@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161139606512517 (code B ref -1); Sat, 23 Jan 2021 10:02:02 +0000 Received: (at submit) by debbugs.gnu.org; 23 Jan 2021 10:01:05 +0000 Received: from localhost ([127.0.0.1]:33687 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l3Fj7-0003Fp-3F for submit@debbugs.gnu.org; Sat, 23 Jan 2021 05:01:05 -0500 Received: from lists.gnu.org ([209.51.188.17]:50104) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l3Fj6-0003Fi-4R for submit@debbugs.gnu.org; Sat, 23 Jan 2021 05:01:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:45044) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l3Fj5-00005D-1n for guix-patches@gnu.org; Sat, 23 Jan 2021 05:01:03 -0500 Received: from mout.web.de ([212.227.15.4]:33491) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l3Fj2-0001Jm-Tk for guix-patches@gnu.org; Sat, 23 Jan 2021 05:01:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1611396059; bh=ErrvR+kusliBULYXK06bR5nfonu1s2RSfPoy99wTnLM=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=BpzmjLd8ULF7bidUsI0PMPm3l028Egrat37u3MD/sZ+v8AQEF56XS2s9sKu41AmbD v5gCZyPdHGM9dDvjerMpaWkX0KELaTZMborhKuR555m6bNNPgGKpVeT9T4eSg6DOXG z5PN0qO6Y8+J/tWVTtTr7C9ksXpdBJIGLegNM9Co= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from 3700X.fritz.box ([5.146.192.196]) by smtp.web.de (mrweb003 [213.165.67.108]) with ESMTPSA (Nemesis) id 0Llncm-1lcJQZ085g-00ZQDJ; Sat, 23 Jan 2021 11:00:59 +0100 From: Jonathan Brielmaier Date: Sat, 23 Jan 2021 11:00:49 +0100 Message-Id: <20210123100049.22389-1-jonathan.brielmaier@web.de> X-Mailer: git-send-email 2.30.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:Xpy97j/O0mSWsG6ULDq05MqHXKrWU2rw4VX4or1/ZCed5vtxLn9 MgtfywXNIbJGa14ER94wQ1BaETKz79Ejjz/GhjyaagC9vO0O5iMF9ifU45JpvisBaCJ1OU8 +L3hiwVzmQ3TtmqR87hxxy1cHrr84j6I1dHIauDWkbqduOihQ8n1vKSx/ibFwRvRQrFhrwp eJKNSG8I7xUPRtMGNKptQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:Z1bufxfXWMg=:vAnkBbj7v7lhEyf+vbnlHB TdlL6XWG0wjgZ/pkaEzYqaLkNbmGhe2IAXF9fouHmhcqqIKM8R/8aEQc0mPWJOqx2INw4iZMj KDUQ+3Fy3IMLoF99bUEUBZhh+5qI66MmJMzTcTAo1J2oQl1yD1FmW5emTClJJU6S618KcJfM4 3atsI9qxA3KoiSAqxji9tuWT73eSUUHSHJeCfvl+RyzZ5NmnUeUapSYUXLlEBQFHTtd/oTF6N BTHQXWBw4IMDEFd2C/Rb3qIEVXCSOXqvG1iG7pt/bbPx+DyiBq5JCPQHxCiROLrpGpTrtVqKK JyHqJ+eINpc5olqouc6Tj3veG+5DyzpuqCtEB3YSB5x+iLdOaRB5pPHQzj1wxaEFybWkbxIAl r/vGPNH35Euq/L11s8AD4ZL8Df8sDvpmCwYPbpBYGfCZbAuFOudozRMdsSX7tst6BQxe0Df0Y PA5yXbjeT4VU/c2QCw/TJ4bsYwwDuk4qFWtVV79w+SNRIqIIkxmPJMEO1CuEFxtEzfrB4JO+I 758DlJU9QZ6oLMjKhPvRhChK3fsc78WdrgEe+8sZeBjhCEyB4h6eLO39r1nOsid1PvOzpnSZq 5q0Ms6IFg3/Gs4Gj90LSWwzOPKBzfZGmGhduClys5e4bIEo5vP2k1WNRx63gy+AsSzKUVRZIU 0prPb6t9OqetMrKAlWD3FSPlq90BxVsH9nzRPJuhWE0Cyt+z02I8bDowyM2WI04+cX4b+NXfq hGILONrtqQwm8g3AtAuzGhQdq8SmY1jmqg/+sEvBp02gNYwPXALHrS+eHKN3a6jTE/U83Wu4t 5sYMnxqMlRz3hjOGOpG/KS6G9+7TVOdr+3XP4KVerpXDsXrhJTor+1eBZ3vfOpjE5On6YTjAM K/WEIlHIKQJuf2EfW6nupSUSdHEKQMuiO/ZpqMP+4= Received-SPF: pass client-ip=212.227.15.4; envelope-from=jonathan.brielmaier@web.de; helo=mout.web.de X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: 2.25 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=web.de header.s=dbaedf251592 header.b=BpzmjLd8; dmarc=fail reason="SPF not aligned (relaxed)" header.from=web.de (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: CCD1A9402C8 X-Spam-Score: 2.25 X-Migadu-Scanner: scn0.migadu.com X-TUID: j8jlr4+QKsfM * gnu/services/web.scm ()[ssl-protocols]: New entry defaulting to "secure" versions of TLS. (emit-nginx-server-config): Add it. * doc/guix.texi (Web Services): Document it. =2D-- doc/guix.texi | 3 +++ gnu/services/web.scm | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index 4a20b3b902..4c187d4383 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -23616,6 +23616,9 @@ you don't have a certificate or you don't want to = use HTTPS. Where to find the private key for secure connections. Set it to @code{#f= } if you don't have a key or you don't want to use HTTPS. +@item @code{ssl-protocols} (default: @code{"TLSv1.2 TLSv1.3"}) +The versions of TLS used. + @item @code{server-tokens?} (default: @code{#f}) Whether the server should add its configuration to response. diff --git a/gnu/services/web.scm b/gnu/services/web.scm index ff7b262b6a..93e1e802dc 100644 =2D-- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -113,6 +113,7 @@ nginx-server-configuration-index nginx-server-configuration-ssl-certificate nginx-server-configuration-ssl-certificate-key + nginx-server-configuration-ssl-protocols nginx-server-configuration-server-tokens? nginx-server-configuration-raw-content @@ -489,6 +490,8 @@ (default #f)) (ssl-certificate-key nginx-server-configuration-ssl-certificate-key (default #f)) + (ssl-protocols nginx-server-configuration-ssl-protocols + (default "TLSv1.2 TLSv1.3")) (server-tokens? nginx-server-configuration-server-tokens? (default #f)) (raw-content nginx-server-configuration-raw-content @@ -587,6 +590,7 @@ of index files." (ssl-certificate (nginx-server-configuration-ssl-certificate serv= er)) (ssl-certificate-key (nginx-server-configuration-ssl-certificate-key server)) + (ssl-protocols (nginx-server-configuration-ssl-protocols server)) (root (nginx-server-configuration-root server)) (index (nginx-server-configuration-index server)) (try-files (nginx-server-configuration-try-files server)) @@ -606,6 +610,7 @@ of index files." " server_name " (config-domain-strings server-name) ";\n" (and/l ssl-certificate " ssl_certificate " <> ";\n") (and/l ssl-certificate-key " ssl_certificate_key " <> ";\n") + " ssl_protocols " ssl-protocols ";\n" " root " root ";\n" " index " (config-index-strings index) ";\n" (if (not (nil? try-files)) =2D- 2.30.0