grommunio / configs Goto Github PK

As per grommunio/gromox#90 (comment), “cipher lists for every individual daemon does not scale very well for an administrator”, however the grommunio-provided NGINX configuration in /usr/share/grommunio-common/nginx/ssl_params.conf has actually an individual configuration of TLS protocols and ciphers. This overrides what crypto-policies configure and the grommunio-provided NGINX-configuration is not in-line with common Mozilla recommendations, which are suited for performance, security and compatibility. Actually, grommunio even re-enables TLSv1.0 and TLSv1.1, which are deprecated as per RFC 8996, with the shipped configuration.

With the reason provided in grommunio/gromox#90 (comment), I suggest to remove the current grommunio-provided NGINX individual configuration in /usr/share/grommunio-common/nginx/ssl_params.conf related to TLS protocols and ciphers, but to only use what crypto-policies provide. This would also provide a really consistent experience to administrators across all components involved in a grommunio setup.

Oh, and adapting /usr/share/grommunio-common/nginx/ssl_params.conf yourself to get what crypto-policies are meant for does currently not work, because grommunio delivers this individual configuration in a configuration file not suited for editing, because any modification will be overriden during the next update of the "grommunio-common" RPM package (which kind of makes sense for itself, because it's /usr/share rather than /etc). Practically, trying to re-declare e.g. ssl_ciphers with PROFILE=SYSTEM in a later NGINX configuration file also fails, because NGINX doesn't support this, unfortunately:

$ nginx -t
nginx: [emerg] "ssl_ciphers" directive is duplicate in /etc/nginx/conf.d/grommunio_custom-crypto-policies.conf.include:1
nginx: configuration file /etc/nginx/nginx.conf test failed
$