From 22abda74952c9bf7cc2cc37ad8275695a6e6833e Mon Sep 17 00:00:00 2001
From: avj <avj@users.noreply.github.com>
Date: Fri, 24 Feb 2023 16:24:52 -0500
Subject: [PATCH] Set `ssl_prefer_server_ciphers` to `off` (#328)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Léo Colombaro <git@colombaro.fr>
---
 h5bp/tls/ssl_engine.conf | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/h5bp/tls/ssl_engine.conf b/h5bp/tls/ssl_engine.conf
index 41d477d..4c3b33a 100644
--- a/h5bp/tls/ssl_engine.conf
+++ b/h5bp/tls/ssl_engine.conf
@@ -25,7 +25,10 @@
 #     https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
 #     https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
 #
-# (5) Basic security improvements
+# (5) The TLS 1.2 and 1.3 ciphers in use in current policies are not considered
+#     dangerous. This directive let the client choose the one that best fits their needs.
+#     https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
+#     https://wiki.mozilla.org/Security/Server_Side_TLS
 
 # (1)
 ssl_session_timeout 24h;
@@ -41,4 +44,4 @@ keepalive_timeout 300s;
 ssl_session_tickets off;
 
 # (5)
-ssl_prefer_server_ciphers on;
+ssl_prefer_server_ciphers off;