pyrox.dev
1{ lib }:
2{
3 tlsRecommendationsOption = lib.mkOption {
4 type = lib.types.nullOr (
5 lib.types.enum [
6 "modern"
7 "intermediate"
8 "old"
9 ]
10 );
11 default = null;
12 example = "intermediate";
13 description = ''
14 By default, H2O, without prejudice, will use as many TLS versions &
15 cipher suites as it & the TLS library (OpenSSL) can support. The user is
16 expected to hone settings for the security of their server. Setting some
17 constraints is recommended, & if unsure about what TLS settings to use,
18 this option gives curated TLS settings recommendations from Mozilla’s
19 ‘SSL Configuration Generator’ project (see
20 <https://ssl-config.mozilla.org>) or read more at Mozilla’s Wiki (see
21 <https://wiki.mozilla.org/Security/Server_Side_TLS>).
22
23 modern
24 : Services with clients that support TLS 1.3 & don’t need backward
25 compatibility
26
27 intermediate
28 : General-purpose servers with a variety of clients, recommended for
29 almost all systems
30
31 old
32 : Compatible with a number of very old clients, & should be used only as
33 a last resort
34
35 The default for all virtual hosts can be set with
36 services.h2o.defaultTLSRecommendations, but this value can be overridden
37 on a per-host basis using services.h2o.hosts.<name>.tls.recommmendations.
38 The settings will also be overidden by manual values set with
39 services.settings.h2o.hosts.<name>.tls.extraSettings.
40
41 NOTE: older/weaker ciphers might require overriding the OpenSSL version
42 of H2O (such as `openssl_legacy`). This can be done with
43 sevices.settings.h2o.package.
44 '';
45 };
46}