Conversation
Notices
-
Embed this notice
aliss (aliss@outerheaven.club)'s status on Friday, 02-Sep-2022 05:29:46 JST aliss @helene - Hélène likes this.
-
Embed this notice
Hélène (helene@p.helene.moe)'s status on Friday, 02-Sep-2022 05:29:47 JST Hélène By the way, the root of the TLS 1.2 issue is that Erlang/OTP does not support X448 and X25519 curves for TLS 1.2. If you host an instance, please make sure you don’t restrict allowed ECDHE curves to only X448 and/or X25519, or Pleroma won’t be able to connect to you (unless they have the TLS 1.3 patch)! This will cause big federation issues for you!
If you run nginx, check for ssl_ecdh_curve in your configuration (https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve ), and make sure it allows/supports one of the following elliptic curves:
sect571r1, sect571k1, secp521r1, brainpoolP512r1, sect409k1, sect409r1, brainpoolP384r1, secp384r1, sect283k1, sect283r1, brainpoolP256r1, secp256k1, secp256r1, sect239k1, sect233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2, secp192k1, secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1, secp160r2If you don’t have a ssl_ecdh_curve directive, that means OpenSSL defaults are used (so, it shouldn’t be a problem on most distributions). If you do, I’d recommend making sure you at least have one of those from the list enabled, like this:
ssl_ecdh_curve X25519:X448:sect571r1If you’re picky on your curves, make sure to refer to https://safecurves.cr.yp.to/ as usual (but be picky only if you really know what you’re doing; seriously!!)
This elliptic curve setting might also be referred to as “supported groups” in your software, please check for that setting!