Deploy GitHub Pages

2020-04-28 14:46:52 +00:00 · 2020-04-28 14:46:52 +00:00 · a7d9114970
commit a7d9114970
parent 3c8b328ae5
5 changed files with 59 additions and 58 deletions
--- a/user-guide/tls/index.html
+++ b/user-guide/tls/index.html
@ -1371,21 +1371,22 @@ by monitoring ingress resources and their referenced secrets.</p>
 The first version to fully support Kube-Lego is Nginx Ingress controller 0.8.</p>
 <h2 id="default-tls-version-and-ciphers">Default TLS Version and Ciphers<a class="headerlink" href="#default-tls-version-and-ciphers" title="Permanent link"> ¶</a></h2>
 <p>To provide the most secure baseline configuration possible,</p>
-<p>nginx-ingress defaults to using TLS 1.2 only and a <a href="../nginx-configuration/configmap/#ssl-ciphers">secure set of TLS ciphers</a>.</p>
+<p>nginx-ingress defaults to using TLS 1.2 and 1.3 only, with a <a href="../nginx-configuration/configmap/#ssl-ciphers">secure set of TLS ciphers</a>.</p>
 <h3 id="legacy-tls">Legacy TLS<a class="headerlink" href="#legacy-tls" title="Permanent link"> ¶</a></h3>
 <p>The default configuration, though secure, does not support some older browsers and operating systems.</p>
 <p>For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing,
 May 2018, <a href="https://developer.android.com/about/dashboards/#Platform">approximately 15% of Android devices</a>
 are not compatible with nginx-ingress's default configuration.</p>
 <p>To change this default behavior, use a <a href="../nginx-configuration/configmap/">ConfigMap</a>.</p>
-<p>A sample ConfigMap fragment to allow these older clients to connect could look something like the following:</p>
+<p>A sample ConfigMap fragment to allow these older clients to connect could look something like the following
+(generated using the Mozilla SSL Configuration Generator)<a href="https://ssl-config.mozilla.org/#server=nginx&amp;config=old">mozilla-ssl-config-old</a>:</p>
 <div class="highlight"><pre><span></span><code>kind: ConfigMap
 apiVersion: v1
 metadata:
  name: nginx-config
 data:
-  ssl-ciphers: &quot;ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA&quot;
-  ssl-protocols: &quot;TLSv1 TLSv1.1 TLSv1.2&quot;
+  ssl-ciphers: &quot;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA&quot;
+  ssl-protocols: &quot;TLSv1 TLSv1.1 TLSv1.2 TLSv1.3&quot;
 </code></pre></div>