2018-11-25 19:13:33 +01:00
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
# | SSL policy - Intermediate |
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
2019-02-01 16:10:06 +01:00
|
|
|
# For services that don't need backward compatibility, the parameters
|
|
|
|
# below provide a higher level of security.
|
2018-11-25 19:13:33 +01:00
|
|
|
#
|
2019-05-15 18:26:04 +02:00
|
|
|
# (!) This policy enforces a strong SSL configuration, which may raise
|
2019-02-01 16:10:06 +01:00
|
|
|
# errors with old clients.
|
2019-05-15 18:26:04 +02:00
|
|
|
# If a more compatible profile is required, use the intermediate policy.
|
2018-11-25 19:13:33 +01:00
|
|
|
#
|
2019-02-01 16:10:06 +01:00
|
|
|
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known
|
|
|
|
# to be weak and potentially vulnerable but are required to support
|
|
|
|
# Microsoft Edge and Safari.
|
|
|
|
# https://safecurves.cr.yp.to/
|
2018-12-02 17:05:11 +01:00
|
|
|
#
|
2018-11-25 19:13:33 +01:00
|
|
|
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
|
|
|
|
2019-02-01 16:10:06 +01:00
|
|
|
ssl_protocols TLSv1.2;
|
|
|
|
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
2018-12-02 17:05:11 +01:00
|
|
|
|
|
|
|
# (1)
|
2019-02-01 16:10:06 +01:00
|
|
|
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|