diff options
author | Chris Buechler <cmb@pfsense.org> | 2016-03-12 02:07:24 -0600 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2016-03-12 02:07:24 -0600 |
commit | 677f0a18c338cbd08c6bf70ea3006a22896fbbf2 (patch) | |
tree | be0296d3606ad43cbfe8cd41b2ea5d1706da4042 /src/etc/inc | |
parent | e0712c754d676fcbf020dada66041c3d2174e332 (diff) | |
download | pfsense-677f0a18c338cbd08c6bf70ea3006a22896fbbf2.zip pfsense-677f0a18c338cbd08c6bf70ea3006a22896fbbf2.tar.gz |
Disable TLSv1.0 for web GUI's nginx instance. Ticket #5984
Diffstat (limited to 'src/etc/inc')
-rw-r--r-- | src/etc/inc/system.inc | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index 0821c11..0532df9 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1324,7 +1324,12 @@ EOD; $nginx_config .= "\t\tssl_session_timeout 10m;\n"; $nginx_config .= "\t\tkeepalive_timeout 70;\n"; $nginx_config .= "\t\tssl_session_cache shared:SSL:10m;\n"; - $nginx_config .= "\t\tssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n"; + if ($captive_portal !== false) { + // leave TLSv1.0 for CP for now for compatibility + $nginx_config .= "\t\tssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n"; + } else { + $nginx_config .= "\t\tssl_protocols TLSv1.1 TLSv1.2;\n"; + } $nginx_config .= "\t\tssl_ciphers \"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\";\n"; $nginx_config .= "\t\tssl_prefer_server_ciphers on;\n"; $nginx_config .= "\t\tadd_header Strict-Transport-Security \"max-age=31536000\";\n"; |