cloudflare · slicerpro · May 13, 2016 · Jun 10, 2016 · Jun 11, 2016 · Jun 11, 2016
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -0,0 +1,23 @@
+
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push: 
+    branches:
+      - main
+      - master
+name: Semgrep config
+jobs:
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-20.04
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+      SEMGREP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - uses: actions/checkout@v3
+      - run: semgrep ci
diff --git a/README.md b/README.md
@@ -1,22 +1,19 @@
 sslconfig
 =========
 
-CloudFlare's Internet facing SSL cipher configuration
+Cloudflare's Internet facing SSL cipher configuration
 
 This repository tracks the history of the SSL cipher configuration used for
-CloudFlare's public-facing SSL web servers. The repository tracks an internal
-CloudFlare repository, but dates may not exactly match when changes are made.
+Cloudflare's public-facing SSL web servers. The repository tracks an internal
+Cloudflare repository, but dates may not exactly match when changes are made.
 
 There is a single file called conf which contains the configuration used in
-CloudFlare's NGINX servers. This is only a fragment of the configuration.
-
-We currently use OpenSSL 1.0.2-stable (+ patches).
-
+Cloudflare's NGINX servers. This is only a fragment of the configuration.
 
 ChaCha20/Poly1305 patch
 -----------------------
 
-CloudFlare uses [a patch](patches/openssl__chacha20_poly1305_cf.patch) for
+Cloudflare uses [a patch](patches/openssl__chacha20_poly1305_cf.patch) for
 OpenSSL that enables the ChaCha20/Poly1305 cipher suites and implements
 special logic to ensure it is only taken if it is the client's top cipher
 choice.  Without this patch, the cipher suite choice in the configuration

diff --git a/conf b/conf
@@ -1,3 +1,4 @@
-ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers                 EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ssl_ecdh_curve              X25519:P-256:P-384:P-521;
+ssl_ciphers                 '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
 ssl_prefer_server_ciphers   on;