Hello everyone!
Following the post, I would like to suggest fixing Nginx cipher suites.
By default an “ssl_ciphers” directive carries the following parameters in Nginx config:
ssl_ciphers “ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256”;
The string ECDHE-ECDSA-AES256-GCM-SHA384 is a cipher suite and the abbreviation ECDSA is used to define the algorithm for authentication purposes. ECDSA stands for Elliptic Curve Digital Signature Algorithm and is used with ECC (Elliptic Curve Cryptography) certificates.
ECDSA cannot be used with RSA certificates which are generated by default with Bitwarden installation script. I understand that such broad cipher suite range was probably set up for users who utilize their own certificates, however there is no point to include ciphers that will not be applied.
Dear developers, consider adding the possibility to provide users with a choice of generating RSA or ECC certificates during Bitwarden installation, since ECC certs are, in fact, smaller and more secure.
Then, if one select some algorithm, it is clear that they would rely on LE certificates generated by Bitwarden script and the appropriate cipher suite list can be applied in this case.