[bitnami/nginx] Specify ciphers suites and set strong ciphers

[d4rklynk]

It's better to specify cipher suites to avoid having too many ciphers authorized.

It allows better control of which cipher suites you use.

Only strong ciphers have been chosen.

The cipher have been choosed based on https://english.ncsc.nl/publications/publications/2021/january/19/it-security-guidelines-for-transport-layer-security-2.1

Only a few very very old version of somes OSes will not work (like OX 10.10 that ended 6 years ago).
You can check a handshake simulation example here with these ciphers.

[d4rklynk]

At the very least, we should set them up as so:

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_conf_command Options PrioritizeChaCha;

Based on:

• https://www.ssl.com/guide/tls-standards-compliance/
• https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.7

These cipher suites might be better for everyone use.

[jotamartos]

Hi @d4rklynk,

Thank you for your contribution and sorry for the delay. Please let us review and test the changes before merging them.

Thanks

[jotamartos]

Hi @d4rklynk,

I just reviewed your changes and proposed some changes according to the information you provided. Could you please review them and ping me here in this main thread so I get notified?

Thanks

[d4rklynk]

Hi @jotamartos , sorry, I don't see the changes that you proposed on my end. Could you confirm that you submitted your suggestions?

[jotamartos]

Yes, I added the comment and I can see it as well.

The changes I proposed were basically these ones

-           ssl_ciphers        ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
-	    ssl_prefer_server_ciphers on;
-	    ssl_conf_command Options PrioritizeChaCha;
+	    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;

[d4rklynk]

Hi, when you can, could you please complete your review? You didn't finish the review so I can't see it atm. I'm looking forward. Thanks!

These ciphers are ok imho, I'll let you finish the review so I can accept it.

[jotamartos]

So sorry about the review submission 😅 I thought I clicked on it.

[d4rklynk]

LGTM, Just keep in mind that DHE is weak under somes circumstances -> https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256/

Is it relevant to add strong ciphers commented out ? (in case someones needs it)

[jotamartos]

Is it relevant to add strong ciphers commented out ? (in case someones needs it)

I think that may confuse users. If the user knows what he's configuring, he'll set the list of ciphers he really wants to use but if he doesn't have enough experience with NGINX, he will probably end up enabling/disabling ciphers he does/doesn't really need.

Let me migrate this information to our systems and will merge this PR after that.

Thanks

[jotamartos]

Thank you for this contribution!