Nginx frontend configuration for Android 7
After a lot of fiddling, I have fixed the Nginx configuration so that it runs properly on Android 7 mobiles. As it involves downgrading ssl_ecdh_curve
from secp384r1
to prime256v1
, we need to decide whether it's security-critical enough that we want to create a dummy SSL host to capture broken Androids rather than applying to the Gitlab config. Anyway I think it would make sense as it would clarify the configuration in case we add another host before "lab" (see https://talk.libreho.st/t/tls-sni-how-to-break-https-on-android-7-0-nougat/171 for explanation).
Note that it would take me a few minutes to fix an aaaa.libreho.st
dummy SSL virtual host to take care of this and re-up the Gitlab config to secp384r1
.
I wanted to have this issue so that we do not have to wonder why this is the case!