diff options
author | zeripath <art27@cantab.net> | 2021-11-20 06:12:43 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-20 01:12:43 -0500 |
commit | c96be0cd982255f20a3fe6ff4683115b8073e65e (patch) | |
tree | 3b5c31858438becb2a8a24557c419de9fa085e2a /docs/content/doc | |
parent | 9f14fe43c6de96ce7cf81c87620fcd50e086910c (diff) | |
download | gitea-c96be0cd982255f20a3fe6ff4683115b8073e65e.tar.gz gitea-c96be0cd982255f20a3fe6ff4683115b8073e65e.zip |
Make SSL cipher suite configurable (#17440)
Diffstat (limited to 'docs/content/doc')
-rw-r--r-- | docs/content/doc/advanced/config-cheat-sheet.en-us.md | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index ae4f754170..d7a7023ff5 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -310,6 +310,42 @@ The following configuration set `Content-Type: application/vnd.android.package-a - `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, allows redirecting http requests on `PORT_TO_REDIRECT` to the https port Gitea listens on. - `PORT_TO_REDIRECT`: **80**: Port for the http redirection service to listen on. Used when `REDIRECT_OTHER_PORT` is true. +- `SSL_MIN_VERSION`: **TLSv1.2**: Set the minimum version of ssl support. +- `SSL_MAX_VERSION`: **\<empty\>**: Set the maximum version of ssl support. +- `SSL_CURVE_PREFERENCES`: **X25519,P256**: Set the prefered curves, +- `SSL_CIPHER_SUITES`: **ecdhe_ecdsa_with_aes_256_gcm_sha384,ecdhe_rsa_with_aes_256_gcm_sha384,ecdhe_ecdsa_with_aes_128_gcm_sha256,ecdhe_rsa_with_aes_128_gcm_sha256,ecdhe_ecdsa_with_chacha20_poly1305,ecdhe_rsa_with_chacha20_poly1305**: Set the preferred cipher suites. + - If there is not hardware support for AES suites by default the cha cha suites will be preferred over the AES suites + - supported suites as of go 1.17 are: + - TLS 1.0 - 1.2 cipher suites + - "rsa_with_rc4_128_sha" + - "rsa_with_3des_ede_cbc_sha" + - "rsa_with_aes_128_cbc_sha" + - "rsa_with_aes_256_cbc_sha" + - "rsa_with_aes_128_cbc_sha256" + - "rsa_with_aes_128_gcm_sha256" + - "rsa_with_aes_256_gcm_sha384" + - "ecdhe_ecdsa_with_rc4_128_sha" + - "ecdhe_ecdsa_with_aes_128_cbc_sha" + - "ecdhe_ecdsa_with_aes_256_cbc_sha" + - "ecdhe_rsa_with_rc4_128_sha" + - "ecdhe_rsa_with_3des_ede_cbc_sha" + - "ecdhe_rsa_with_aes_128_cbc_sha" + - "ecdhe_rsa_with_aes_256_cbc_sha" + - "ecdhe_ecdsa_with_aes_128_cbc_sha256" + - "ecdhe_rsa_with_aes_128_cbc_sha256" + - "ecdhe_rsa_with_aes_128_gcm_sha256" + - "ecdhe_ecdsa_with_aes_128_gcm_sha256" + - "ecdhe_rsa_with_aes_256_gcm_sha384" + - "ecdhe_ecdsa_with_aes_256_gcm_sha384" + - "ecdhe_rsa_with_chacha20_poly1305_sha256" + - "ecdhe_ecdsa_with_chacha20_poly1305_sha256" + - TLS 1.3 cipher suites + - "aes_128_gcm_sha256" + - "aes_256_gcm_sha384" + - "chacha20_poly1305_sha256" + - Aliased names + - "ecdhe_rsa_with_chacha20_poly1305" is an alias for "ecdhe_rsa_with_chacha20_poly1305_sha256" + - "ecdhe_ecdsa_with_chacha20_poly1305" is alias for "ecdhe_ecdsa_with_chacha20_poly1305_sha256" - `ENABLE_LETSENCRYPT`: **false**: If enabled you must set `DOMAIN` to valid internet facing domain (ensure DNS is set and port 80 is accessible by letsencrypt validation server). By using Lets Encrypt **you must consent** to their [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf). - `LETSENCRYPT_ACCEPTTOS`: **false**: This is an explicit check that you accept the terms of service for Let's Encrypt. |