server-configs-nginx/h5bp/tls/policy_balanced.conf

# ----------------------------------------------------------------------
# | SSL policy - Balanced                                              |
# ----------------------------------------------------------------------

# For services that need to support a wide range of clients, this configuration
# is reasonably balanced.
#
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
#     and potentially vulnerable but are required to support Microsoft Edge
#     and Safari.
#     https://safecurves.cr.yp.to/
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html

ssl_protocols TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES;

# (1)
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
Split SSL config Prepare #180 2018-11-25 19:13:33 +01:00			`# ----------------------------------------------------------------------`
Modernize TLS configuration 2021-06-14 12:43:22 +02:00			`# \| SSL policy - Balanced \|`
Split SSL config Prepare #180 2018-11-25 19:13:33 +01:00			`# ----------------------------------------------------------------------`

Modernize TLS configuration 2021-06-14 12:43:22 +02:00			`# For services that need to support a wide range of clients, this configuration`
Fix documentation wording 2021-06-14 20:21:21 +02:00			`# is reasonably balanced.`
Split SSL config Prepare #180 2018-11-25 19:13:33 +01:00			`#`
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			`# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak`
			`# and potentially vulnerable but are required to support Microsoft Edge`
			`# and Safari.`
Rotate ssl policies to modernize protocols recommendations Closes #210 2019-02-01 16:10:06 +01:00			`# https://safecurves.cr.yp.to/`
Add DH parameters note to policy_intermediate.conf (#212) For DHE ciphersuites, adding a diffie hellman parameter is a good practice. Only the intermediate policy uses DHE ciphersuites. 2018-12-02 17:05:11 +01:00			`#`
Split SSL config Prepare #180 2018-11-25 19:13:33 +01:00			`# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations`
			`# https://nginx.org/en/docs/http/ngx_http_ssl_module.html`

Rotate ssl policies to modernize protocols recommendations Closes #210 2019-02-01 16:10:06 +01:00			`ssl_protocols TLSv1.2;`
			`ssl_ciphers EECDH+CHACHA20:EECDH+AES;`
Add DH parameters note to policy_intermediate.conf (#212) For DHE ciphersuites, adding a diffie hellman parameter is a good practice. Only the intermediate policy uses DHE ciphersuites. 2018-12-02 17:05:11 +01:00
			`# (1)`
Rotate ssl policies to modernize protocols recommendations Closes #210 2019-02-01 16:10:06 +01:00			`ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;`