irregular reminder for #MastoAdmin :

yawnbox@disobey.net

irregular reminder for #MastoAdmin :

1. TLS 1.3 -only instances work. disobey.net has been doing it for over a year. Mastodon apps/clients work too.

2. RSA-4096 is ideal, if you listen to the German BSI who have reported that "At comparable classical security levels … elliptic curves appear to require less resources than factoring an RSA modulus with Shor’s approach."

3. Debian 13 supports OpenSSL 3.5.4 natively, meaning you can enable hybrid (post-quantum, MLKEM) groups for your users

4. nginx supports explicit configurations for setting and prioritizing MLKEM groups and TLS 1.3 ciphers

I document all of this in my short blog post, "modern nginx cryptography": https://yawnbox.eu/blog/modern-nginx-crypto/