summaryrefslogtreecommitdiffstats
path: root/docs
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2021-11-20 06:12:43 +0000
committerGitHub <noreply@github.com>2021-11-20 01:12:43 -0500
commitc96be0cd982255f20a3fe6ff4683115b8073e65e (patch)
tree3b5c31858438becb2a8a24557c419de9fa085e2a /docs
parent9f14fe43c6de96ce7cf81c87620fcd50e086910c (diff)
downloadgitea-c96be0cd982255f20a3fe6ff4683115b8073e65e.tar.gz
gitea-c96be0cd982255f20a3fe6ff4683115b8073e65e.zip
Make SSL cipher suite configurable (#17440)
Diffstat (limited to 'docs')
-rw-r--r--docs/content/doc/advanced/config-cheat-sheet.en-us.md36
1 files changed, 36 insertions, 0 deletions
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index ae4f754170..d7a7023ff5 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -310,6 +310,42 @@ The following configuration set `Content-Type: application/vnd.android.package-a
- `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, allows redirecting http requests on `PORT_TO_REDIRECT` to the https port Gitea listens on.
- `PORT_TO_REDIRECT`: **80**: Port for the http redirection service to listen on. Used when `REDIRECT_OTHER_PORT` is true.
+- `SSL_MIN_VERSION`: **TLSv1.2**: Set the minimum version of ssl support.
+- `SSL_MAX_VERSION`: **\<empty\>**: Set the maximum version of ssl support.
+- `SSL_CURVE_PREFERENCES`: **X25519,P256**: Set the prefered curves,
+- `SSL_CIPHER_SUITES`: **ecdhe_ecdsa_with_aes_256_gcm_sha384,ecdhe_rsa_with_aes_256_gcm_sha384,ecdhe_ecdsa_with_aes_128_gcm_sha256,ecdhe_rsa_with_aes_128_gcm_sha256,ecdhe_ecdsa_with_chacha20_poly1305,ecdhe_rsa_with_chacha20_poly1305**: Set the preferred cipher suites.
+ - If there is not hardware support for AES suites by default the cha cha suites will be preferred over the AES suites
+ - supported suites as of go 1.17 are:
+ - TLS 1.0 - 1.2 cipher suites
+ - "rsa_with_rc4_128_sha"
+ - "rsa_with_3des_ede_cbc_sha"
+ - "rsa_with_aes_128_cbc_sha"
+ - "rsa_with_aes_256_cbc_sha"
+ - "rsa_with_aes_128_cbc_sha256"
+ - "rsa_with_aes_128_gcm_sha256"
+ - "rsa_with_aes_256_gcm_sha384"
+ - "ecdhe_ecdsa_with_rc4_128_sha"
+ - "ecdhe_ecdsa_with_aes_128_cbc_sha"
+ - "ecdhe_ecdsa_with_aes_256_cbc_sha"
+ - "ecdhe_rsa_with_rc4_128_sha"
+ - "ecdhe_rsa_with_3des_ede_cbc_sha"
+ - "ecdhe_rsa_with_aes_128_cbc_sha"
+ - "ecdhe_rsa_with_aes_256_cbc_sha"
+ - "ecdhe_ecdsa_with_aes_128_cbc_sha256"
+ - "ecdhe_rsa_with_aes_128_cbc_sha256"
+ - "ecdhe_rsa_with_aes_128_gcm_sha256"
+ - "ecdhe_ecdsa_with_aes_128_gcm_sha256"
+ - "ecdhe_rsa_with_aes_256_gcm_sha384"
+ - "ecdhe_ecdsa_with_aes_256_gcm_sha384"
+ - "ecdhe_rsa_with_chacha20_poly1305_sha256"
+ - "ecdhe_ecdsa_with_chacha20_poly1305_sha256"
+ - TLS 1.3 cipher suites
+ - "aes_128_gcm_sha256"
+ - "aes_256_gcm_sha384"
+ - "chacha20_poly1305_sha256"
+ - Aliased names
+ - "ecdhe_rsa_with_chacha20_poly1305" is an alias for "ecdhe_rsa_with_chacha20_poly1305_sha256"
+ - "ecdhe_ecdsa_with_chacha20_poly1305" is alias for "ecdhe_ecdsa_with_chacha20_poly1305_sha256"
- `ENABLE_LETSENCRYPT`: **false**: If enabled you must set `DOMAIN` to valid internet facing domain (ensure DNS is set and port 80 is accessible by letsencrypt validation server).
By using Lets Encrypt **you must consent** to their [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf).
- `LETSENCRYPT_ACCEPTTOS`: **false**: This is an explicit check that you accept the terms of service for Let's Encrypt.