|
@@ -162,10 +162,13 @@ and `CERT_NAME=shared` will then use this shared cert.
|
|
|
|
|
|
|
|
#### How SSL Support Works
|
|
#### How SSL Support Works
|
|
|
|
|
|
|
|
-The SSL cipher configuration is based on [mozilla nginx intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) which
|
|
|
|
|
|
|
+The SSL cipher configuration is based on the [Mozilla nginx intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) which
|
|
|
should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
|
|
should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
|
|
|
-Windows XP IE8, Android 2.3, Java 7. The configuration also enables HSTS, and SSL
|
|
|
|
|
-session caches.
|
|
|
|
|
|
|
+Windows XP IE8, Android 2.3, Java 7. Note that the DES-based TLS ciphers were removed for security.
|
|
|
|
|
+The configuration also enables HSTS, PFS, and SSL session caches. Currently TLS 1.0, 1.1 and 1.2
|
|
|
|
|
+are supported. TLS 1.0 is deprecated but its end of life is not until June 30, 2018. It is being
|
|
|
|
|
+included because the following browsers will stop working when it is removed: Chrome < 22, Firefox < 27,
|
|
|
|
|
+IE < 11, Safari < 7, iOS < 5, Android Browser < 5.
|
|
|
|
|
|
|
|
The default behavior for the proxy when port 80 and 443 are exposed is as follows:
|
|
The default behavior for the proxy when port 80 and 443 are exposed is as follows:
|
|
|
|
|
|
Steve Kamerman