diff --git a/nixos/modules/services/web-servers/h2o/common.nix b/nixos/modules/services/web-servers/h2o/common.nix index d2efc886dd8b..9f935717972d 100644 --- a/nixos/modules/services/web-servers/h2o/common.nix +++ b/nixos/modules/services/web-servers/h2o/common.nix @@ -5,7 +5,6 @@ lib.types.enum [ "modern" "intermediate" - "old" ] ); default = null; @@ -28,10 +27,6 @@ : General-purpose servers with a variety of clients, recommended for almost all systems - old - : Compatible with a number of very old clients, & should be used only as - a last resort - The default for all virtual hosts can be set with services.h2o.defaultTLSRecommendations, but this value can be overridden on a per-host basis using services.h2o.hosts..tls.recommmendations. diff --git a/nixos/modules/services/web-servers/h2o/default.nix b/nixos/modules/services/web-servers/h2o/default.nix index 108c9190cc53..bea521ccc624 100644 --- a/nixos/modules/services/web-servers/h2o/default.nix +++ b/nixos/modules/services/web-servers/h2o/default.nix @@ -84,8 +84,8 @@ let # other settings with the tests @ # `nixos/tests/web-servers/h2o/tls-recommendations.nix` # & run with `nix-build -A nixosTests.h2o.tls-recommendations` - version = "5.7"; - git_tag = "v5.7.1"; + version = "6.0"; + git_tag = "v6.0"; guidelinesJSON = lib.pipe { @@ -93,7 +93,7 @@ let "https://ssl-config.mozilla.org/guidelines/${version}.json" "https://raw.githubusercontent.com/mozilla/ssl-config-generator/refs/tags/${git_tag}/src/static/guidelines/${version}.json" ]; - sha256 = "sha256:1mj2pcb1hg7q2wpgdq3ac8pc2q64wvwvwlkb9xjmdd9jm4hiyny7"; + sha256 = "sha256-aHdzLNPo4c6jlbS+Fg3R0X5VcdPKtUky0oX5Q7Y94SQ="; } [ pkgs.fetchurl diff --git a/nixos/tests/web-servers/h2o/tls-recommendations.nix b/nixos/tests/web-servers/h2o/tls-recommendations.nix index ca5116494fab..b55f5a852082 100644 --- a/nixos/tests/web-servers/h2o/tls-recommendations.nix +++ b/nixos/tests/web-servers/h2o/tls-recommendations.nix @@ -25,7 +25,6 @@ let lib.optionalAttrs (builtins.elem recommendations [ "intermediate" - "old" ]) { openssl = pkgs.openssl_legacy; @@ -83,24 +82,20 @@ in nodes = { server_modern = mkH2OServer "modern"; server_intermediate = mkH2OServer "intermediate"; - server_old = mkH2OServer "old"; }; testScript = { nodes, ... }: let - inherit (nodes) server_modern server_intermediate server_old; + inherit (nodes) server_modern server_intermediate; modernPortStr = toString server_modern.services.h2o.hosts.${domain}.tls.port; intermediatePortStr = toString server_intermediate.services.h2o.hosts.${domain}.tls.port; - oldPortStr = toString server_old.services.h2o.hosts.${domain}.tls.port; in - # python - '' + /* python */ '' curl_basic = "curl -v --tlsv1.3 --http2 'https://${domain}:{port}/'" curl_head = "curl -v --head 'https://${domain}:{port}/'" curl_max_tls1_2 ="curl -v --tlsv1.0 --tls-max 1.2 'https://${domain}:{port}/'" curl_max_tls1_2_intermediate_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256' 'https://${domain}:{port}/'" - curl_max_tls1_2_old_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256' 'https://${domain}:{port}/'" start_all() @@ -120,16 +115,5 @@ in assert "strict-transport-security" in intermediate_head server_intermediate.succeed(curl_max_tls1_2.format(port="${intermediatePortStr}")) server_intermediate.succeed(curl_max_tls1_2_intermediate_cipher.format(port="${intermediatePortStr}")) - server_intermediate.fail(curl_max_tls1_2_old_cipher.format(port="${intermediatePortStr}")) - - server_old.wait_for_unit("h2o.service") - server_old.wait_for_open_port(${oldPortStr}) - old_response = server_old.succeed(curl_basic.format(port="${oldPortStr}")) - assert "Hello, old!" in old_response - old_head = server_modern.succeed(curl_head.format(port="${oldPortStr}")) - assert "strict-transport-security" in old_head - server_old.succeed(curl_max_tls1_2.format(port="${oldPortStr}")) - server_old.succeed(curl_max_tls1_2_intermediate_cipher.format(port="${oldPortStr}")) - server_old.succeed(curl_max_tls1_2_old_cipher.format(port="${oldPortStr}")) ''; }