fix: force SSL/TLS for vsftpd by default; remove TLSv1 and TLSv1.1, add TLSv1.3 for nginx#242
Merged
amefs merged 2 commits intoamefs:developmentfrom Mar 22, 2026
Merged
Conversation
While we have already configured ssl_enable=YES, the client could still log on and transfer data insecurely without these two options enabled.
TLSv1 and TLSv1.1 were deprecated in 2021 and we should definitely remove them now. Some ciphers in TLSv1.2 are not considered safe any more, so we should only enable some of them (no need to do this with TLSv1.3). The list here are copied from the default settings of Caddy as of now, see: https://github.com/caddyserver/caddy/blob/master/modules/caddytls/values.go#L49 Note that I wanted to add `ssl_conf_command Options PrioritizeChaCha;` as well, such that non-AES-NI devices (e.g. older Android) can automatically switch to CHACHA20 ciphers, however this requires nginx > 1.19.4 but Debian 11 and Ubuntu 20.04 LTS is still on nginx 1.18.0. Maybe we can add this later, or not...given that quickbox-lite panel is primarily for desktop use, and those devices are pretty much obsolete anyway. I also changed `ssl_ecdh_curve` to `auto`, such that it would allow users running newer versions of nginx/openssl automatically use modern curves such as X25519MLKEM768 while maintaining compatibility with older versions.
bodayw
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix: force SSL/TLS for vsftpd by default
While we have already configured
ssl_enable=YES, the client could still log on and transfer data insecurely without these two options enabled.fix: remove TLSv1 and TLSv1.1, add TLSv1.3
TLSv1 and TLSv1.1 were deprecated in 2021 and we should definitely remove them now.
Some ciphers in TLSv1.2 are not considered safe any more, so we should only enable some of them (no need to do this with TLSv1.3). The list here are copied from the default settings of Caddy as of now, see:
https://github.com/caddyserver/caddy/blob/master/modules/caddytls/values.go#L49
Note that I wanted to add
ssl_conf_command Options PrioritizeChaCha;as well, such that non-AES-NI devices (e.g. older Android) can automatically switch to CHACHA20 ciphers, however this requires nginx > 1.19.4 but Debian 11 and Ubuntu 20.04 LTS is still on nginx 1.18.0. Maybe we can add this later, or not...given that quickbox-lite panel is primarily for desktop use, and those devices are pretty much obsolete anyway.I also changed
ssl_ecdh_curvetoauto, such that it would allow users running newer versions of nginx/openssl automatically use modern curves such as X25519MLKEM768 while maintaining compatibility with older versions.