From debbugs-submit-bounces@debbugs.gnu.org Sat Jan 23 05:01:05 2021
Received: (at submit) by debbugs.gnu.org; 23 Jan 2021 10:01:05 +0000
Received: from localhost ([127.0.0.1]:33687 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1l3Fj7-0003Fp-3F
	for submit@debbugs.gnu.org; Sat, 23 Jan 2021 05:01:05 -0500
Received: from lists.gnu.org ([209.51.188.17]:50104)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jonathan.brielmaier@web.de>) id 1l3Fj6-0003Fi-4R
 for submit@debbugs.gnu.org; Sat, 23 Jan 2021 05:01:04 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:45044)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jonathan.brielmaier@web.de>)
 id 1l3Fj5-00005D-1n
 for guix-patches@gnu.org; Sat, 23 Jan 2021 05:01:03 -0500
Received: from mout.web.de ([212.227.15.4]:33491)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jonathan.brielmaier@web.de>)
 id 1l3Fj2-0001Jm-Tk
 for guix-patches@gnu.org; Sat, 23 Jan 2021 05:01:02 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de;
 s=dbaedf251592; t=1611396059;
 bh=ErrvR+kusliBULYXK06bR5nfonu1s2RSfPoy99wTnLM=;
 h=X-UI-Sender-Class:From:To:Cc:Subject:Date;
 b=BpzmjLd8ULF7bidUsI0PMPm3l028Egrat37u3MD/sZ+v8AQEF56XS2s9sKu41AmbD
 v5gCZyPdHGM9dDvjerMpaWkX0KELaTZMborhKuR555m6bNNPgGKpVeT9T4eSg6DOXG
 z5PN0qO6Y8+J/tWVTtTr7C9ksXpdBJIGLegNM9Co=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from 3700X.fritz.box ([5.146.192.196]) by smtp.web.de (mrweb003
 [213.165.67.108]) with ESMTPSA (Nemesis) id 0Llncm-1lcJQZ085g-00ZQDJ; Sat, 23
 Jan 2021 11:00:59 +0100
From: Jonathan Brielmaier <jonathan.brielmaier@web.de>
To: guix-patches@gnu.org
Subject: [PATCH] services: nginx: Add ssl-protocols option.
Date: Sat, 23 Jan 2021 11:00:49 +0100
Message-Id: <20210123100049.22389-1-jonathan.brielmaier@web.de>
X-Mailer: git-send-email 2.30.0
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:Xpy97j/O0mSWsG6ULDq05MqHXKrWU2rw4VX4or1/ZCed5vtxLn9
 MgtfywXNIbJGa14ER94wQ1BaETKz79Ejjz/GhjyaagC9vO0O5iMF9ifU45JpvisBaCJ1OU8
 +L3hiwVzmQ3TtmqR87hxxy1cHrr84j6I1dHIauDWkbqduOihQ8n1vKSx/ibFwRvRQrFhrwp
 eJKNSG8I7xUPRtMGNKptQ==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:Z1bufxfXWMg=:vAnkBbj7v7lhEyf+vbnlHB
 TdlL6XWG0wjgZ/pkaEzYqaLkNbmGhe2IAXF9fouHmhcqqIKM8R/8aEQc0mPWJOqx2INw4iZMj
 KDUQ+3Fy3IMLoF99bUEUBZhh+5qI66MmJMzTcTAo1J2oQl1yD1FmW5emTClJJU6S618KcJfM4
 3atsI9qxA3KoiSAqxji9tuWT73eSUUHSHJeCfvl+RyzZ5NmnUeUapSYUXLlEBQFHTtd/oTF6N
 BTHQXWBw4IMDEFd2C/Rb3qIEVXCSOXqvG1iG7pt/bbPx+DyiBq5JCPQHxCiROLrpGpTrtVqKK
 JyHqJ+eINpc5olqouc6Tj3veG+5DyzpuqCtEB3YSB5x+iLdOaRB5pPHQzj1wxaEFybWkbxIAl
 r/vGPNH35Euq/L11s8AD4ZL8Df8sDvpmCwYPbpBYGfCZbAuFOudozRMdsSX7tst6BQxe0Df0Y
 PA5yXbjeT4VU/c2QCw/TJ4bsYwwDuk4qFWtVV79w+SNRIqIIkxmPJMEO1CuEFxtEzfrB4JO+I
 758DlJU9QZ6oLMjKhPvRhChK3fsc78WdrgEe+8sZeBjhCEyB4h6eLO39r1nOsid1PvOzpnSZq
 5q0Ms6IFg3/Gs4Gj90LSWwzOPKBzfZGmGhduClys5e4bIEo5vP2k1WNRx63gy+AsSzKUVRZIU
 0prPb6t9OqetMrKAlWD3FSPlq90BxVsH9nzRPJuhWE0Cyt+z02I8bDowyM2WI04+cX4b+NXfq
 hGILONrtqQwm8g3AtAuzGhQdq8SmY1jmqg/+sEvBp02gNYwPXALHrS+eHKN3a6jTE/U83Wu4t
 5sYMnxqMlRz3hjOGOpG/KS6G9+7TVOdr+3XP4KVerpXDsXrhJTor+1eBZ3vfOpjE5On6YTjAM
 K/WEIlHIKQJuf2EfW6nupSUSdHEKQMuiO/ZpqMP+4=
Received-SPF: pass client-ip=212.227.15.4;
 envelope-from=jonathan.brielmaier@web.de; helo=mout.web.de
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.1 (/)
X-Debbugs-Envelope-To: submit
Cc: Jonathan Brielmaier <jonathan.brielmaier@web.de>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

* gnu/services/web.scm (<nginx-server-configuration>)[ssl-protocols]:
New entry defaulting to "secure" versions of TLS.
(emit-nginx-server-config): Add it.
* doc/guix.texi (Web Services): Document it.
=2D--
 doc/guix.texi        | 3 +++
 gnu/services/web.scm | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index 4a20b3b902..4c187d4383 100644
=2D-- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -23616,6 +23616,9 @@ you don't have a certificate or you don't want to =
use HTTPS.
 Where to find the private key for secure connections.  Set it to @code{#f=
} if
 you don't have a key or you don't want to use HTTPS.

+@item @code{ssl-protocols} (default: @code{"TLSv1.2 TLSv1.3"})
+The versions of TLS used.
+
 @item @code{server-tokens?} (default: @code{#f})
 Whether the server should add its configuration to response.

diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index ff7b262b6a..93e1e802dc 100644
=2D-- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -113,6 +113,7 @@
             nginx-server-configuration-index
             nginx-server-configuration-ssl-certificate
             nginx-server-configuration-ssl-certificate-key
+            nginx-server-configuration-ssl-protocols
             nginx-server-configuration-server-tokens?
             nginx-server-configuration-raw-content

@@ -489,6 +490,8 @@
                        (default #f))
   (ssl-certificate-key nginx-server-configuration-ssl-certificate-key
                        (default #f))
+  (ssl-protocols       nginx-server-configuration-ssl-protocols
+                       (default "TLSv1.2 TLSv1.3"))
   (server-tokens?      nginx-server-configuration-server-tokens?
                        (default #f))
   (raw-content         nginx-server-configuration-raw-content
@@ -587,6 +590,7 @@ of index files."
         (ssl-certificate (nginx-server-configuration-ssl-certificate serv=
er))
         (ssl-certificate-key
          (nginx-server-configuration-ssl-certificate-key server))
+        (ssl-protocols (nginx-server-configuration-ssl-protocols server))
         (root (nginx-server-configuration-root server))
         (index (nginx-server-configuration-index server))
         (try-files (nginx-server-configuration-try-files server))
@@ -606,6 +610,7 @@ of index files."
      "      server_name " (config-domain-strings server-name) ";\n"
      (and/l ssl-certificate     "      ssl_certificate " <> ";\n")
      (and/l ssl-certificate-key "      ssl_certificate_key " <> ";\n")
+     "      ssl_protocols " ssl-protocols ";\n"
      "      root " root ";\n"
      "      index " (config-index-strings index) ";\n"
      (if (not (nil? try-files))
=2D-
2.30.0





From debbugs-submit-bounces@debbugs.gnu.org Sat Jan 23 05:08:01 2021
Received: (at 46049) by debbugs.gnu.org; 23 Jan 2021 10:08:01 +0000
Received: from localhost ([127.0.0.1]:33703 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1l3Fpp-0003S4-1b
	for submit@debbugs.gnu.org; Sat, 23 Jan 2021 05:08:01 -0500
Received: from mout.web.de ([217.72.192.78]:55989)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jonathan.brielmaier@web.de>) id 1l3Fpm-0003Rn-Th
 for 46049@debbugs.gnu.org; Sat, 23 Jan 2021 05:07:59 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de;
 s=dbaedf251592; t=1611396471;
 bh=6ifVmVGJ28M9Zie51T2VJ41m/Y44g8Zu/yg0mA5WFfo=;
 h=X-UI-Sender-Class:To:From:Subject:Date;
 b=rNA/Busyxss+dCEmSrO1QKei8HFuriKyQdMG8Gkx/e4qieH8/i/Y65v7RbDnlK9js
 8tkcRFqdh0ZfQDI5/kwPqHX6k+cY+i+oCEMtZqI7d2MJFEorOGmrA7C5gdBRC3bvM2
 iQZg4bwIvL7oL8ItTtbaH/YJeXCV6ZjXijdtBzrw=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.178.88] ([5.146.192.196]) by smtp.web.de (mrweb105
 [213.165.67.124]) with ESMTPSA (Nemesis) id 1MjBVv-1lhW7u1pO1-00fEvO for
 <46049@debbugs.gnu.org>; Sat, 23 Jan 2021 11:07:51 +0100
To: 46049@debbugs.gnu.org
From: Jonathan Brielmaier <jonathan.brielmaier@web.de>
Subject: [PATCH] services: nginx: Add ssl-protocols option.
Message-ID: <5d511a10-e589-7de9-35ed-8294298dee7a@web.de>
Date: Sat, 23 Jan 2021 11:07:50 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Icedove/78.6.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:6b2w46neiKF1L9lAzbcBUoMThPEpf021c4IqXhmYH5ZpFcaku0f
 pgSWpOkyTaEiohRRFu7oEFdL63BNFM/kFpWGy+yApl2NBEBDTv65N5F8iSrkQh2rZbzatub
 Alokmnov4YLhK3JwgahpiJ1R4Kv12Ivr4Oe3gMfRrs3gd2P6CL8Mz+Uatpwx35413vdSnRd
 GfcYiCEhVWZpg5HcAC1Qg==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:1ayZtLZRwHw=:HYkSNsOA+S5lGTC/HtgJge
 jGC65sLFkS/EAlDntKNAe8WLOZVXq7LX9JnIKu9iz+MGQHiId7K9zmnDGF+zNV+CwLiOBsCNZ
 7pFRRog4mqId0lBVve2od+kYcNcwmxMtyPPeYm5gbzKXBUwSFQq4BxC9avSSWqL+4i7OeodOK
 zSBnE8eyBL7295UKs4cBEUICeohpV2nKDMAtnIVUoZqnz68fVpWaLoLyasd89u9rkYJ+TbVJL
 ndAWqcB0uq9LFAFjz4D0JiblC5T7FoKs46UaHEPE26lBvr3VwSatQl4VdkQ/gphWxEz0L2wnV
 bFmGxE7u3LSQvhKW8qP6LPbDSN2teAuzWbvqNUse7IjICsiN4dsKUs9Pf3Zp5WCaPNLNZpIzd
 JQE2SGLSIRLlDymEYv4xdg0C5z6LcSzLHtzzRcvctbSJwNiQ84uXmJRCE6ZBpOZiVGn9atfl4
 PXFyVKFBhPkfPBzT9ynFZ+udUcHsuBjaZqGnngoAqN/7GJuVVCVHq3vbxjIVCnoIJRGSJrP0q
 kQnmFmWm6S/k2c+tDGTTlxRUEa2cs3k05II1xJP/1i78FfhgHjPwcIKOlVOkSHRf8NV3h08l7
 MfARN/u7LkXspVnsNW2n/CRm5/Y8A5kN142AUPJgx4hAiO0q9AmeKqggqyLHRQhqiLmS1COjl
 ihrsVyFjZBWrPj3xz+bFBn77GO0c3EhtTSrqiCwKFHpcg1nn3Pm31/kI2OmTlktbVHPDD/CAQ
 XdKBTY2pqVGwyG6Y61ZqpHsYFJp+b/jsZ4J1oIpBR4G06A9crMgRf4vXyeW4srvmFW0tyJijV
 cShBI1hB5IWWCuVL+kxNBdBXhZTRU4zLRCNJ2ZfvlQaNaFIw6s7qVy9YsYmPJtWucHol0VRlH
 FM+mvslGfDkDtrYnO6GwBgSol/yFwlPlD8lQ9lLMw=
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 46049
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

I tested this change in multiple setups on my production server and I
could not find any grave issues, apart from maybe warnings about
duplication if you self setted this option via `raw-content`.

The default settings is accordingly to Mozillas "Intermediate"
configuration for nginx: https://ssl-config.mozilla.org

I would also like to implement an option with good defaults for
`ssl_ciphers` if you have ideas how to do that in a nice way speak up :)




From debbugs-submit-bounces@debbugs.gnu.org Sat Jan 23 19:46:05 2021
Received: (at submit) by debbugs.gnu.org; 24 Jan 2021 00:46:05 +0000
Received: from localhost ([127.0.0.1]:35643 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1l3TXZ-0002K8-B7
	for submit@debbugs.gnu.org; Sat, 23 Jan 2021 19:46:05 -0500
Received: from lists.gnu.org ([209.51.188.17]:57338)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@tobias.gr>) id 1l3TXY-0002K1-Cj
 for submit@debbugs.gnu.org; Sat, 23 Jan 2021 19:46:04 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:42138)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1l3TXX-0002qx-Ti
 for guix-patches@gnu.org; Sat, 23 Jan 2021 19:46:04 -0500
Received: from tobias.gr ([2a02:c205:2020:6054::1]:33838)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1l3TXU-00034U-UV
 for guix-patches@gnu.org; Sat, 23 Jan 2021 19:46:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018;
 bh=VQbefYjBTvU5MMWHDu3xSFXsjP+tUODrAXu3kHjO2mo=; h=date:in-reply-to:
 references:subject:cc:to:from; b=VIVr+uYh2tqlR/g/gJYUXgrr5S2lMb4JK+E+J
 bKwiPxUsC7iBy/nHzOnccAu8UmzbIehdTmNInG9cUSbpWUIW4iVy//ppFZi1XcXAlvrdiF
 tEkZVFE7C122jUHASE9ehbb0jp+W8yaagbGh9D9zS7pRGTprq18BCXGLM1TLWwr9IXXn/j
 p48iX99mDRDTI9/FIXgU57CSNLWQ1hjbYaIji+GVAtAUdIETD0nAHOzrsPevioLrY77uL8
 NqOuPmdUeiJXt8j2oENB8liUDEBXU0G7a5ySRdW7yjUZE19xyTVlXP+lQPom9yDP7Yg4AH
 ttPUhz6FV4pBGGbFrUGrGxVEA==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 043074fa
 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); 
 Sun, 24 Jan 2021 00:46:34 +0000 (UTC)
BIMI-Selector: v=BIMI1; s=default;
From: Tobias Geerinckx-Rice <me@tobias.gr>
To: Jonathan Brielmaier <jonathan.brielmaier@web.de>
Subject: Re: [bug#46049] [PATCH] services: nginx: Add ssl-protocols option.
References: <20210123100049.22389-1-jonathan.brielmaier@web.de>
In-reply-to: <20210123100049.22389-1-jonathan.brielmaier@web.de>
Date: Sun, 24 Jan 2021 01:45:54 +0100
Message-ID: <878s8jqi0t.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr;
 helo=tobias.gr
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: 46049@debbugs.gnu.org, guix-patches@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Jonathan,

Jonathan Brielmaier =E5=86=99=E9=81=93=EF=BC=9A
> * gnu/services/web.scm=20
> (<nginx-server-configuration>)[ssl-protocols]:
> New entry defaulting to "secure" versions of TLS.

Thanks!

> +  (ssl-protocols       nginx-server-configuration-ssl-protocols
> +                       (default "TLSv1.2 TLSv1.3"))

This should be

  (default "TLSv1 TLSv1.1 TLSv1.2")

instead, see [0].  Otherwise LGTM!

Kind regards,

T G-R

[0]:=20
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYAzDQg0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15HHIA/iileMqUdOEIjDm3NEawC1uPslmtQRd6/8gz0c82
oMe5AQDnDj1w/iHRBhFvlQhsxCKuscH66xrhf2JBB9vrgoTQAA==
=8BZ2
-----END PGP SIGNATURE-----
--=-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Sat Jan 23 20:36:51 2021
Received: (at submit) by debbugs.gnu.org; 24 Jan 2021 01:36:51 +0000
Received: from localhost ([127.0.0.1]:35663 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1l3UKh-0003Ut-AI
	for submit@debbugs.gnu.org; Sat, 23 Jan 2021 20:36:51 -0500
Received: from lists.gnu.org ([209.51.188.17]:42682)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@tobias.gr>) id 1l3UKf-0003Um-Me
 for submit@debbugs.gnu.org; Sat, 23 Jan 2021 20:36:49 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:47982)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1l3UKf-0002UJ-Dy
 for guix-patches@gnu.org; Sat, 23 Jan 2021 20:36:49 -0500
Received: from tobias.gr ([2a02:c205:2020:6054::1]:33852)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1l3UKd-00031m-3d
 for guix-patches@gnu.org; Sat, 23 Jan 2021 20:36:48 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018;
 bh=OAVOP0PeYvCDTwP+9R6jfDR/HochUzkZonnQUx0stGs=; h=date:in-reply-to:
 references:subject:cc:to:from; b=T98t3wOM7nV7CWRLGx7dvWDdNS7XZx1cu8CEM
 4Fgsnjb/SaQ8lqZHk4bi4XydA1SW6NgMGc8vUIaA/FPPeNBw5J6lRZXjLKnreaXDMkfzAC
 Uj27Gfj9OMS4rxLn8dgqgXW/xp5wDC7GmfnAAVnvPu3Y4px3TAnXoPTrQQt8QLyKidSDVX
 7ade30333FdlzeiI1IoF0eCBLKqBL5nC9HdG8gsSnT1lejmV5Rf08hnd/7XWhDLgpIFbET
 cYC7f0WsEiDauDHjfMpIm8gHoXw2f3kWFKfwf7mKk9318WvVFK/CiekXL6cpoklroW1a00
 bmk0hAaOp7SNd2u3rL6d360/g==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 5c329a43
 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); 
 Sun, 24 Jan 2021 01:37:21 +0000 (UTC)
BIMI-Selector: v=BIMI1; s=default;
From: Tobias Geerinckx-Rice <me@tobias.gr>
To: Jonathan Brielmaier <jonathan.brielmaier@web.de>
Subject: Re: [bug#46049] [PATCH] services: nginx: Add ssl-protocols option.
References: <20210123100049.22389-1-jonathan.brielmaier@web.de>
 <5d511a10-e589-7de9-35ed-8294298dee7a@web.de>
In-reply-to: <5d511a10-e589-7de9-35ed-8294298dee7a@web.de>
Date: Sun, 24 Jan 2021 02:36:42 +0100
Message-ID: <874kj7qfo5.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr;
 helo=tobias.gr
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: 46049@debbugs.gnu.org, guix-patches@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Jonathan Brielmaier =E5=86=99=E9=81=93=EF=BC=9A
> The default settings is accordingly to Mozillas "Intermediate"
> configuration for nginx: https://ssl-config.mozilla.org

Oh, I see!  Hiding subjective tweaks to upstream defaults in Guix=20
services is a bad idea.

Imagine debugging this at 2 a.m., staring at the official nginx=20
documentation through your tears.

> I would also like to implement an option with good defaults for
> `ssl_ciphers` if you have ideas how to do that in a nice way=20
> speak up :)

How about writing =E2=80=98mozilla-recommended=E2=80=99 nginx configuration=
=20
presets that users can inherit from?  This would imply keeping=20
them up to date, including the specific versions of nginx and *ssl=20
in Guix.

I don't know whether this belongs in Guix or not, but then we=20
already ship someone's Facebook blocklist, so... :-)

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYAzPKw0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15GfUA/2NB4n/iQZTkT7C3N2EvtPsw3/cqYBfD25hRS/b1
eY9SAQCL8bF60pqyUPug9Lef+xgTYFQ0xgnKmw4GIbEnGjUzDQ==
=nXwD
-----END PGP SIGNATURE-----
--=-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Sun Jan 24 08:25:58 2021
Received: (at submit) by debbugs.gnu.org; 24 Jan 2021 13:25:58 +0000
Received: from localhost ([127.0.0.1]:36070 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1l3fOw-000607-2J
	for submit@debbugs.gnu.org; Sun, 24 Jan 2021 08:25:58 -0500
Received: from lists.gnu.org ([209.51.188.17]:48992)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jonathan.brielmaier@web.de>) id 1l3fOu-0005zy-Qw
 for submit@debbugs.gnu.org; Sun, 24 Jan 2021 08:25:57 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:39062)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jonathan.brielmaier@web.de>)
 id 1l3fOr-0003E0-Eo
 for guix-patches@gnu.org; Sun, 24 Jan 2021 08:25:56 -0500
Received: from mout.web.de ([212.227.17.12]:55007)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jonathan.brielmaier@web.de>)
 id 1l3fOl-0004Nv-Hl
 for guix-patches@gnu.org; Sun, 24 Jan 2021 08:25:53 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de;
 s=dbaedf251592; t=1611494734;
 bh=EjH4pOVTboWzdVjQOfzhUniXUv7N3lOqXM5qOKNPuas=;
 h=X-UI-Sender-Class:To:Cc:References:From:Subject:Date:In-Reply-To;
 b=HWrGnMmgIiXtH+Po8X+Xp4XMgV7eymC8xQ7z2CZxOO2El1NG4ZmlDWoxCZ8w7EnnI
 fdu758s4GNo1l+PrRktxPGsDI3HUKmlxXeJvq/1GLkgvzh+4gQW5MA2EtdlUsDy8LX
 GTnml9yKjpgMWQA0Hmljfff+lq8y7NJSV1nii2kA=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.178.88] ([5.146.192.196]) by smtp.web.de (mrweb106
 [213.165.67.124]) with ESMTPSA (Nemesis) id 1Mf3uS-1lfkIx3o7u-00gZ7X; Sun, 24
 Jan 2021 14:25:33 +0100
To: Tobias Geerinckx-Rice <me@tobias.gr>
References: <20210123100049.22389-1-jonathan.brielmaier@web.de>
 <5d511a10-e589-7de9-35ed-8294298dee7a@web.de> <874kj7qfo5.fsf@nckx>
From: Jonathan Brielmaier <jonathan.brielmaier@web.de>
Subject: Re: [bug#46049] [PATCH] services: nginx: Add ssl-protocols option.
Message-ID: <01fc7a42-eba3-aaf6-783c-778cddf69b51@web.de>
Date: Sun, 24 Jan 2021 14:25:32 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Icedove/78.6.1
MIME-Version: 1.0
In-Reply-To: <874kj7qfo5.fsf@nckx>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:vdeqxcWWT9ZebXfNpzpVFlDSJzZgYGH1UBRgYqJdfSkTnxXJ4cu
 uEw60iHuVpeH4iXDUgmE57JVCMD9Urz0q98Yx6g+FgIgI+78Wb2jZvlXk2JgYeh43/jhABR
 0GXCcNI7uMhH9v1ZewQbOcY8ZGrISGyZ7Pj2gpShiYJl2YsQMtWHBhfgjEo12trB8EHDy91
 T7Iax1lFU6vZQBMk7OtOw==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:m0g7OQrDyww=:eENdufuWUgL75u5epgUDTV
 Q827fYFSGCyNaGlb8QixfVujXZiPUfzhmbVDtPZscSJnsaQS6GRL27Y1aGeSVtlug6l3EMrwh
 2uGy3GZrLufTXgJQnF9g/nY4/l1Z2RbHy4hYosoh3ethEGP1oeA4ZLIREgxmg9J3niBCux/13
 ghlmB0Lqbzxog0ppI1h3Gg5bbQDlr3O+w+EP01O0JxJZkcTHQSaR6FNhUp/jdJKVpnzwU8Bpo
 0sCX5jjhnZqpvzH1CZ1KoDFk7nZC+NfG9HE+G3JvO0mktJIqa5io5arIslWLlyN62ZQAFWmtP
 4jEd+rOeOJjI99Qjy4IrUXoeDui4oZrSs+uZEHySOrRoj/IS6gR8e/fe/A5/6rolUUTXphDvO
 FKhM16Tzst3wzlUy2nL7eGBWWOIKGP+6EUETI5KHU7Yp+FXhn0BupnMHnzz9kMRnp4h0NQ31V
 wJc1zaF/MpPcr9l0ig74KXEdkB7J3yiqeHSjA7Ny5zkBoCYr2rpcGxz0huneefcBcU5ww9EGV
 geM6jZryihp8+zNwNo+g0XoZuLIx8TSFpUGPSG0yQGiFuIdf9K8MSKFZDa8nEasvJBkn9Ow1h
 ZIOgsGrlaOzaVGPdJqEXxnifqr7V+sNNrObOoNT0/20uKmEOG3de8U0/8tFVtW2l3/OvqKJnG
 O2FOdHoRPLjRrXrAwk4lo/XjBzuOPml9xqx87hHKHgK6gYC+873gFIdqVSVHqzI5d8yrgKzZb
 aSoT+CMDsFC94ABxbf7zDvIoE0DBLN4cEph9whuTCEDFKA+evBZuVlhJUM19BmVQ9GE/vjIzK
 Nt2cQqrp0wjmwsY3PpCTRG3eB6CZ/Un9Dy+86hlvAzVJKyK14HyS33MfUYVigN2gbkrpnlshN
 senNwvF+ELi5QdKiKbZDuox6ic6w/ufs1o3prqMSg=
Received-SPF: pass client-ip=212.227.17.12;
 envelope-from=jonathan.brielmaier@web.de; helo=mout.web.de
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01,
 RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: 46049@debbugs.gnu.org, guix-patches@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

On 24.01.21 02:36, Tobias Geerinckx-Rice wrote:
> Jonathan Brielmaier =E5=86=99=E9=81=93=EF=BC=9A
>> The default settings is accordingly to Mozillas "Intermediate"
>> configuration for nginx: https://ssl-config.mozilla.org
>
> Oh, I see!=C2=A0 Hiding subjective tweaks to upstream defaults in Guix
> services is a bad idea.
>
> Imagine debugging this at 2 a.m., staring at the official nginx
> documentation through your tears.

I see your point, but I usually start with the Guix service
documentation and it clearly would state "TLSv1.2 TLSv1.3". If your
client doesn't support TLSv1.2 (thats 12 years old), it's maybe a better
idea to fallback to HTTP...

I think in general its a good idea to follow upstreams default, but it
should not hinder us to make more secure defaults

>> I would also like to implement an option with good defaults for
>> `ssl_ciphers` if you have ideas how to do that in a nice way speak up :=
)
>
> How about writing =E2=80=98mozilla-recommended=E2=80=99 nginx configurat=
ion presets that
> users can inherit from?=C2=A0 This would imply keeping them up to date,
> including the specific versions of nginx and *ssl in Guix.

Hm, I try to keep stuff simple and to be honest all those service
"matroska" stuff grows over my head. If theres an error I can not debug
them at 2am or at any other time...

A compromise would maybe something like :
(ssl-protocols %upstream-default OR %mozilla-default OR "Your custom
string")




From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 22 10:26:36 2022
Received: (at 46049) by debbugs.gnu.org; 22 Nov 2022 15:26:36 +0000
Received: from localhost ([127.0.0.1]:52296 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1oxVAS-0004AK-Hl
	for submit@debbugs.gnu.org; Tue, 22 Nov 2022 10:26:36 -0500
Received: from smtpm4.myservices.hosting ([185.26.105.235]:54772)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mirai@makinata.eu>) id 1oxVAQ-0004A5-9g
 for 46049@debbugs.gnu.org; Tue, 22 Nov 2022 10:26:35 -0500
Received: from mail1.netim.hosting (unknown [185.26.106.172])
 by smtpm4.myservices.hosting (Postfix) with ESMTP id CBDEC20D86
 for <46049@debbugs.gnu.org>; Tue, 22 Nov 2022 16:26:32 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
 by mail1.netim.hosting (Postfix) with ESMTP id 92E4280099
 for <46049@debbugs.gnu.org>; Tue, 22 Nov 2022 16:26:32 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting
Received: from mail1.netim.hosting ([127.0.0.1])
 by localhost (mail1-1.netim.hosting [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id zEXQJUA1iwbz for <46049@debbugs.gnu.org>;
 Tue, 22 Nov 2022 16:26:32 +0100 (CET)
Received: from [192.168.1.239] (unknown [10.192.1.83])
 (Authenticated sender: lumen@makinata.eu)
 by mail1.netim.hosting (Postfix) with ESMTPSA id 4DD9880098
 for <46049@debbugs.gnu.org>; Tue, 22 Nov 2022 16:26:32 +0100 (CET)
Message-ID: <1d3856f6-8adb-7b1a-57c5-bb22533c202e@makinata.eu>
Date: Tue, 22 Nov 2022 15:26:31 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.4.2
To: 46049@debbugs.gnu.org
Subject: [PATCH] services: nginx: Add ssl-protocols option.
Content-Language: en-US
From: mirai <mirai@makinata.eu>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 46049
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

How about leaving it empty by default and writing the directive to file only if a value is present?
This way the defaults are automatically chosen by nginx. (as they can drift due to automatic protocol
support detection or as newer protocols roll out)

About making recommendations in the docs, I'd suggest linking it directly to Mozilla's website
rather than duplicating it and risk ending up with outdated advice.