From 169d20a31724173b5e28f3ae56344cea15b206c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Fri, 17 Dec 2021 14:00:16 +0100 Subject: [PATCH] pmgproxy: document newly added options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit adapted from pve-docs -> pveproxy Signed-off-by: Fabian Grünbichler --- pmgproxy.adoc | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/pmgproxy.adoc b/pmgproxy.adoc index 6e48fba..101f269 100644 --- a/pmgproxy.adoc +++ b/pmgproxy.adoc @@ -125,7 +125,10 @@ should set a maintenance window to bring this change into effect. SSL Cipher Suite ---------------- -You can define the cipher list in `/etc/default/pmgproxy`, for example: +You can define the cipher list in `/etc/default/pmgproxy`, via the `CIPHERS` +(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. + +For example: CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" @@ -141,6 +144,25 @@ by disabling the HONOR_CIPHER_ORDER option in `/etc/default/pmgproxy`: HONOR_CIPHER_ORDER=0 +Supported TLS versions +---------------------- + +The insecure SSL versions 2 and 3 are unconditionally disabled for `pmgproxy`. +TLS versions below 1.1 are disabled by default on recent OpenSSL versions, +which is honored by `pmgproxy` (see `/etc/ssl/openssl.cnf`). + +To disable TLS version 1.2, set the following in `/etc/default/pmgproxy`: + + DISABLE_TLS_1_2=1 + +or, respectively, to disable TLS version 1.3: + + DISABLE_TLS_1_3=1 + +NOTE: Unless there is a specific reason to do so, it is not recommended to +manually adjust the supported TLS versions. + + Diffie-Hellman Parameters -------------------------