gaja-group
/
server-configs-nginx
mirror of https://github.com/h5bp/server-configs-nginx
2
0
Fork 0
Code Issues Releases Wiki Activity

Add note explaining secure eleptic curve situation for modern TLS profile preset (#209)

This commit is contained in:
Ewout van Mansom 2018-11-30 12:12:02 +01:00 committed by Léo Colombaro
parent 5f3ce4f73c
commit 5a2f750c53
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
h5bp/ssl/policy_modern.conf
View File

@ -9,10 +9,16 @@
# errors with old clients. # errors with old clients.
# If a more compatible profile is required, use intermediate policy. # If a more compatible profile is required, use intermediate policy.
# #
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known
# to be weak and potentially vulnerable but are required to support
# Microsoft Edge and Safari.
# https://safecurves.cr.yp.to/
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html # https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES; ssl_ciphers EECDH+CHACHA20:EECDH+AES;
# (1)
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;