From efee146044b47b1da6ad746ff8f4ac8b4178662d Mon Sep 17 00:00:00 2001
From: James Graham <J.Graham@software.ac.uk>
Date: Fri, 24 Apr 2020 15:01:40 +0100
Subject: [PATCH 1/2] security: Disable TLS < 1.2

---
 roles/webserver/templates/nginx-site-ssl.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/webserver/templates/nginx-site-ssl.j2 b/roles/webserver/templates/nginx-site-ssl.j2
index ba5f461..6c969cf 100644
--- a/roles/webserver/templates/nginx-site-ssl.j2
+++ b/roles/webserver/templates/nginx-site-ssl.j2
@@ -5,6 +5,7 @@ server {
 
     ssl_certificate /etc/ssl/crt/{{ inventory_hostname }}.crt;
     ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
 
     # Cache and tickets improve performance by ~10% on small requests
     ssl_session_cache shared:SSL:1m;

From b99aa77d7b0e8413d2e1cdb6eee3d3f94c82d4fe Mon Sep 17 00:00:00 2001
From: James Graham <J.Graham@software.ac.uk>
Date: Fri, 24 Apr 2020 15:14:31 +0100
Subject: [PATCH 2/2] security: Remove TLSv1.3

Required version of openssl not available on RHEL
---
 roles/webserver/templates/nginx-site-ssl.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/webserver/templates/nginx-site-ssl.j2 b/roles/webserver/templates/nginx-site-ssl.j2
index 6c969cf..bc135bc 100644
--- a/roles/webserver/templates/nginx-site-ssl.j2
+++ b/roles/webserver/templates/nginx-site-ssl.j2
@@ -5,7 +5,7 @@ server {
 
     ssl_certificate /etc/ssl/crt/{{ inventory_hostname }}.crt;
     ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.pem;
-    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_protocols TLSv1.2;
 
     # Cache and tickets improve performance by ~10% on small requests
     ssl_session_cache shared:SSL:1m;