dlandon Posted January 5, 2020 Share Posted January 5, 2020 TLSv1 is being obsoleted this Spring and TLSv1 and TLSv1.1 should be removed from nginx.conf: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Major browsers are committed to supporting TLSv1.2 so there should be minimal issues. 1 1 Quote Link to comment
itimpi Posted January 5, 2020 Share Posted January 5, 2020 While I agree with the sentiment I would think that the first step would be to make it optional (with the default being disabled) so that the real-world impact (if any) on Unraid users can be determined? Quote Link to comment
dlandon Posted January 5, 2020 Author Share Posted January 5, 2020 Based on what I've read, it won't be an option after March 2020. Quote Link to comment
itimpi Posted January 5, 2020 Share Posted January 5, 2020 11 minutes ago, dlandon said: Based on what I've read, it won't be an option after March 2020. That is assuming that users are not running old versions of devices/software that require the older variants of TLS? There will be a difference between servers requiring the new version and what the clients support I would think? Quote Link to comment
uldise Posted January 5, 2020 Share Posted January 5, 2020 FYI, one of the recent Win10 updates(?) simply disables TLSv1.. we have to apply registry patch to turn them back on as we have app that works no TLSv1 by default.. Quote Link to comment
ljm42 Posted January 10, 2020 Share Posted January 10, 2020 (edited) Well you've really sent me down the rabbit hole Tagging @limetech for visibility Not only should we disable TLSv1 and 1.1, we should enable 1.3. Lots of good info here: https://en.wikipedia.org/wiki/Transport_Layer_Security TLSv1.0 and 1.1 have multiple vulns: https://www.globalsign.com/en/blog/disable-tls-10-and-all-ssl-versions/ https://tools.ietf.org/id/draft-moriarty-tls-oldversions-diediedie-00.html TLSv1.2 is good, with significant availability: https://qsportal.atlassian.net/wiki/spaces/DOC/pages/3571715/TLSv1.2+Browser+Compatibility TLSv1.3 is best, with security and performance improvements over 1.2 (this should make the webgui a little faster in modern browsers that support it): https://casecurity.org/2018/04/10/tls-1-3-includes-improvements-to-security-and-performance/ According to this page: https://qsportal.atlassian.net/wiki/spaces/DOC/pages/3571715/TLSv1.2+Browser+Compatibility TLSv1.2 has been enabled by default in most browsers for quite a while now: Chrome since version 38 (2014) Firefox since version 27 (2014) Safari since version 7 on OSX 10.9 (2013) IE since version 11 (2013) Edge (all versions) Android since Lollipop (2014) iOS since iOS 5 (2011?) So the risk of dropping TLSv1 and 1.1 seems very small. If people really want to keep using their obsolete clients and don't care about the security issues, I see two options: add an option to the webgui to enable v1 and/or v1.1 (if we think a lot of people will need this) or provide a sed command that people could manually add to their go script that adds TLSv1 and/or TLSv1.1 to the nginx.conf. Speaking of which, users who want to secure their systems today can use a good text editor (such as Notepad++, not Notepad) to edit the /config/go script in their "flash" share. Add these lines to the top of the file (above the reference to emhttp): # disable TLSv1 and TLSv1.1, enable TLSv1.2 and TLSv1.3 # see https://forums.unraid.net/topic/86949-tlsv1-is-being-obsoleted-this-spring/ # Note: this is not needed in Unraid 6.8.2 and higher sed -i 's/TLSv1 TLSv1.1 TLSv1.2/TLSv1.2 TLSv1.3/' /etc/nginx/nginx.conf Before rebooting, if you type this command: grep ssl_protocols /etc/nginx/nginx.conf you should see: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; After rebooting with the updated go script, that same command should return: ssl_protocols TLSv1.2 TLSv1.3; To undo this change, delete those lines from the go script and reboot. Edited January 27, 2020 by ljm42 1 1 Quote Link to comment
ljm42 Posted January 10, 2020 Share Posted January 10, 2020 Here is a tool for checking the status of SSL installations on your internal network: https://github.com/drwetter/testssl.sh It is a command line tool, no GUI. You can run it from the Unraid command line like this: docker run -ti drwetter/testssl.sh <unraid host>:<unraid port> (Note that after running this command, the "testssl" docker will show up in the Unraid webgui. You can't really run it from there, although you can use the webgui to delete it if you want.) When run against stock Unraid 6.8.1-rc1, testssl reports: SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 not offered and downgraded to a weaker protocol NPN/SPDY h2, http/1.1 (advertised) ALPN/HTTP2 h2, http/1.1 (offered) After making the changes above it confirms that only 1.2 and 1.3 are offered (good!): SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 offered (OK): final NPN/SPDY h2, http/1.1 (advertised) ALPN/HTTP2 h2, http/1.1 (offered) Quote Link to comment
ljm42 Posted January 27, 2020 Share Posted January 27, 2020 Looks like this was included in 6.8.2, great! TLSv1 and v1.1 were removed, now v1.2 and v1.3 are available. If you modified your go script as described above, you should remove it. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.