server-configs-nginx/h5bp/tls/policy_strict.conf

# ----------------------------------------------------------------------
# | SSL policy - Strict                                                |
# ----------------------------------------------------------------------

# For services that don't need backward compatibility, the parameters below
# provide the highest level of security and performance.
#
# (!) This policy enforces a strong TLS configuration, which may raise
#     errors with old clients.
#     If a more compatible profile is required, use the "balanced" policy.
#
# (!) TLSv1.3 and its 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
#     to be installed.
#
# (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are
#     subject to replay attacks.
#
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
#     and potentially vulnerable.
#
#     Add them back to the parameter `ssl_ecdh_curve` below to support
#     Microsoft Edge and Safari.
#
#     https://safecurves.cr.yp.to/
#
# (2) Enables TLS 1.3 0-RTT, allows for faster resumption of TLS sessions.
#
# (!) Requests sent within early data are subject to replay attacks.
#     To protect against such attacks at the application layer, the
#     `$ssl_early_data` variable should be used:
#
#         proxy_set_header Early-Data $ssl_early_data;
#
#     The application should return response code 425 "Too Early" for anything
#     that could contain user supplied data.
#
#     https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425
#
# https://github.com/certbot/certbot/issues/6367
# https://github.com/mozilla/server-side-tls/issues/217
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+AES;

# (1)
ssl_ecdh_curve X25519;

# (2)
#ssl_early_data on;
Add a modern profile for SSL policy TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites) You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle). The same, non PFS cipher suite is not at all recommended (see heartbleed effect). DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite. 3DES is deprecated and suffer from [sweet32](sweet32.info) So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite. Fix #201 Fix #183 Fix #190 Prepare #180 Co-authored-by: aeris <aeris@users.noreply.github.com> 2018-11-25 19:36:21 +01:00			`# ----------------------------------------------------------------------`
Modernize TLS configuration 2021-06-14 12:43:22 +02:00			`# \| SSL policy - Strict \|`
Add a modern profile for SSL policy TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites) You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle). The same, non PFS cipher suite is not at all recommended (see heartbleed effect). DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite. 3DES is deprecated and suffer from [sweet32](sweet32.info) So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite. Fix #201 Fix #183 Fix #190 Prepare #180 Co-authored-by: aeris <aeris@users.noreply.github.com> 2018-11-25 19:36:21 +01:00			`# ----------------------------------------------------------------------`

Modernize TLS configuration 2021-06-14 12:43:22 +02:00			`# For services that don't need backward compatibility, the parameters below`
			`# provide the highest level of security and performance.`
			`#`
			`# (!) This policy enforces a strong TLS configuration, which may raise`
			`# errors with old clients.`
			`# If a more compatible profile is required, use the "balanced" policy.`
Add a modern profile for SSL policy TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites) You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle). The same, non PFS cipher suite is not at all recommended (see heartbleed effect). DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite. 3DES is deprecated and suffer from [sweet32](sweet32.info) So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite. Fix #201 Fix #183 Fix #190 Prepare #180 Co-authored-by: aeris <aeris@users.noreply.github.com> 2018-11-25 19:36:21 +01:00			`#`
Improve writing [ci skip] 2020-12-29 18:22:16 +01:00			`# (!) TLSv1.3 and its 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1`
Rotate ssl policies to modernize protocols recommendations Closes #210 2019-02-01 16:10:06 +01:00			`# to be installed.`
Add a modern profile for SSL policy TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites) You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle). The same, non PFS cipher suite is not at all recommended (see heartbleed effect). DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite. 3DES is deprecated and suffer from [sweet32](sweet32.info) So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite. Fix #201 Fix #183 Fix #190 Prepare #180 Co-authored-by: aeris <aeris@users.noreply.github.com> 2018-11-25 19:36:21 +01:00			`#`
Rotate ssl policies to modernize protocols recommendations Closes #210 2019-02-01 16:10:06 +01:00			# (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are
			`# subject to replay attacks.`
			`#`
			`# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak`
			`# and potentially vulnerable.`
			`#`
			# Add them back to the parameter `ssl_ecdh_curve` below to support
Add note explaining secure eleptic curve situation for modern TLS profile preset (#209) 2018-11-30 12:12:02 +01:00			`# Microsoft Edge and Safari.`
Rotate ssl policies to modernize protocols recommendations Closes #210 2019-02-01 16:10:06 +01:00			`#`
Add note explaining secure eleptic curve situation for modern TLS profile preset (#209) 2018-11-30 12:12:02 +01:00			`# https://safecurves.cr.yp.to/`
			`#`
Rotate ssl policies to modernize protocols recommendations Closes #210 2019-02-01 16:10:06 +01:00			`# (2) Enables TLS 1.3 0-RTT, allows for faster resumption of TLS sessions.`
			`#`
			`# (!) Requests sent within early data are subject to replay attacks.`
			`# To protect against such attacks at the application layer, the`
Improve writing [ci skip] 2020-12-29 18:22:16 +01:00			# `$ssl_early_data` variable should be used:
			`#`
			`# proxy_set_header Early-Data $ssl_early_data;`
Rotate ssl policies to modernize protocols recommendations Closes #210 2019-02-01 16:10:06 +01:00			`#`
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			`# The application should return response code 425 "Too Early" for anything`
			`# that could contain user supplied data.`
Rotate ssl policies to modernize protocols recommendations Closes #210 2019-02-01 16:10:06 +01:00			`#`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425`
			`#`
			`# https://github.com/certbot/certbot/issues/6367`
			`# https://github.com/mozilla/server-side-tls/issues/217`
Add a modern profile for SSL policy TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites) You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle). The same, non PFS cipher suite is not at all recommended (see heartbleed effect). DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite. 3DES is deprecated and suffer from [sweet32](sweet32.info) So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite. Fix #201 Fix #183 Fix #190 Prepare #180 Co-authored-by: aeris <aeris@users.noreply.github.com> 2018-11-25 19:36:21 +01:00			`# https://nginx.org/en/docs/http/ngx_http_ssl_module.html`

Rotate ssl policies to modernize protocols recommendations Closes #210 2019-02-01 16:10:06 +01:00			`ssl_protocols TLSv1.2 TLSv1.3;`
Add a modern profile for SSL policy TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites) You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle). The same, non PFS cipher suite is not at all recommended (see heartbleed effect). DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite. 3DES is deprecated and suffer from [sweet32](sweet32.info) So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite. Fix #201 Fix #183 Fix #190 Prepare #180 Co-authored-by: aeris <aeris@users.noreply.github.com> 2018-11-25 19:36:21 +01:00			`ssl_ciphers EECDH+CHACHA20:EECDH+AES;`
Improve SSL directives declarations, order and descriptions 2018-12-02 12:47:06 +01:00
Add note explaining secure eleptic curve situation for modern TLS profile preset (#209) 2018-11-30 12:12:02 +01:00			`# (1)`
Rotate ssl policies to modernize protocols recommendations Closes #210 2019-02-01 16:10:06 +01:00			`ssl_ecdh_curve X25519;`

			`# (2)`
			`#ssl_early_data on;`