From 8cb74400da14de09ff1a95df26a8fcab7b797be4 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Thu, 25 Jul 2019 11:22:14 -0700
Subject: [PATCH] Enable TLS v1.3 in NGINX

Now that we're shipping OpenSSL v1.1.1 and TLS v1.3 is becoming used
more frequently, let's enable it by default. More details:

* https://wiki.openssl.org/index.php/TLS1.3
* https://blog.cloudflare.com/introducing-tls-1-3/

This mirrors the change made in Omnibus:
https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/3458/diffs
---
 changelogs/unreleased/sh-enable-tls-1-3.yml | 5 +++++
 values.yaml                                 | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/sh-enable-tls-1-3.yml

diff --git a/changelogs/unreleased/sh-enable-tls-1-3.yml b/changelogs/unreleased/sh-enable-tls-1-3.yml
new file mode 100644
index 0000000000..3c15ca777b
--- /dev/null
+++ b/changelogs/unreleased/sh-enable-tls-1-3.yml
@@ -0,0 +1,5 @@
+---
+title: Enable TLS v1.3 in NGINX
+merge_request: 883
+author:
+type: changed
diff --git a/values.yaml b/values.yaml
index e95e55dc7f..7a7df86e62 100644
--- a/values.yaml
+++ b/values.yaml
@@ -348,7 +348,7 @@ nginx-ingress:
       enable-vts-status: "true"
       use-http2: "false"
       ssl-ciphers: "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
-      ssl-protocols: "TLSv1.1 TLSv1.2"
+      ssl-protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
       server-tokens: "false"
     extraArgs:
       force-namespace-isolation: ""
-- 
GitLab