From 35f092ca304b93b24aa928c04cd873eaeda5c764 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Fri, 17 Nov 2017 09:00:54 +0100 Subject: [PATCH] Update doc with SSL_POLICY values --- README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a729d5f..c44bf80 100644 --- a/README.md +++ b/README.md @@ -247,10 +247,18 @@ included because the following browsers will stop working when it is removed: Ch IE < 11, Safari < 7, iOS < 5, Android Browser < 5. If you don't require backward compatibility, you can use the [Mozilla modern profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) -profile instead by including the environment variable `MODERN_SSL=true` to your container. +profile instead by including the environment variable `SSL_POLICY=Mozilla-Modern` to your container. This profile is compatible with clients back to Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8. +Other policies available through the `SSL_POLICY` environment variable are [`Mozilla-Old`](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility) +and the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) +`AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`. + +Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container generates +a 2048 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing +this, either globally or per virtual-host. + The default behavior for the proxy when port 80 and 443 are exposed is as follows: * If a container has a usable cert, port 80 will redirect to 443 for that container so that HTTPS