(Issue cloned from mozilla/server-side-tls#312)
Hi all,
I hope this is the correct place to ask for advice!
For our nginx TLS configuration, we base our configuration on the recommendations made by the Mozilla Server Side TLS Wiki .
We use the Intermediate profile, with a few changes to also follow the recommendations made by internet.nl, which is a Dutch initiative to improve TLS configurations.
Recently internet.nl has started warning for the SHA-224 SignatureAlgorithm, based on the recommendations made by the Dutch NCSC in their updated TLS Guidelines
This appears to only affect TLS1.2.
However, there is no "pretty" way to configure these algorithms within nginx. There are also no recommendations made on the Mozilla Wiki regarding these signature algorithms.
I was able to get it working with this setting in nginx:
ssl_conf_command SignatureAlgorithms ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512;
However, I have no idea if this value is correct, and I would much rather have a trusted party make recommendations on the SignatureAlgorithms that we can follow, instead of having to guess for the safe values ourselves.
Would this be something Mozilla could make recommendations for? Or is the recommendation to just disable TLS 1.2 entirely when the SignatureAlgorithms are a concern?
I will also contact internet.nl to ask for their advice, however unfortunately they don't post configuration implementation best practices. Mozilla does do this which is why I also ask here.
Thank you!
(Issue cloned from mozilla/server-side-tls#312)
Hi all,
I hope this is the correct place to ask for advice!
For our nginx TLS configuration, we base our configuration on the recommendations made by the Mozilla Server Side TLS Wiki .
We use the Intermediate profile, with a few changes to also follow the recommendations made by internet.nl, which is a Dutch initiative to improve TLS configurations.
Recently internet.nl has started warning for the SHA-224 SignatureAlgorithm, based on the recommendations made by the Dutch NCSC in their updated TLS Guidelines
This appears to only affect TLS1.2.
However, there is no "pretty" way to configure these algorithms within nginx. There are also no recommendations made on the Mozilla Wiki regarding these signature algorithms.
I was able to get it working with this setting in nginx:
However, I have no idea if this value is correct, and I would much rather have a trusted party make recommendations on the SignatureAlgorithms that we can follow, instead of having to guess for the safe values ourselves.
Would this be something Mozilla could make recommendations for? Or is the recommendation to just disable TLS 1.2 entirely when the SignatureAlgorithms are a concern?
I will also contact internet.nl to ask for their advice, however unfortunately they don't post configuration implementation best practices. Mozilla does do this which is why I also ask here.
Thank you!