Modernize TLS configuration

conf.d/.default.conf

@@ -15,9 +15,9 @@ server {
 
   server_name _;
 
-  include h5bp/ssl/ssl_engine.conf;
-  include h5bp/ssl/certificate_files.conf;
-  include h5bp/ssl/policy_intermediate.conf;
+  include h5bp/tls/ssl_engine.conf;
+  include h5bp/tls/certificate_files.conf;
+  include h5bp/tls/policy_balanced.conf;
 
   return 444;
 }

conf.d/templates/example.com.conf

@@ -15,9 +15,9 @@ server {
 
   server_name www.example.com;
 
-  include h5bp/ssl/ssl_engine.conf;
-  include h5bp/ssl/certificate_files.conf;
-  include h5bp/ssl/policy_intermediate.conf;
+  include h5bp/tls/ssl_engine.conf;
+  include h5bp/tls/certificate_files.conf;
+  include h5bp/tls/policy_balanced.conf;
 
   return 301 $scheme://example.com$request_uri;
 }
@@ -32,9 +32,9 @@ server {
   # The host name to respond to
   server_name example.com;
 
-  include h5bp/ssl/ssl_engine.conf;
-  include h5bp/ssl/certificate_files.conf;
-  include h5bp/ssl/policy_intermediate.conf;
+  include h5bp/tls/ssl_engine.conf;
+  include h5bp/tls/certificate_files.conf;
+  include h5bp/tls/policy_balanced.conf;
 
   # Path for static files
   root /var/www/example.com/public;

h5bp/ssl/policy_deprecated.conf

@@ -1,30 +0,0 @@
-# ----------------------------------------------------------------------
-# | SSL policy - Deprecated                                            |
-# ----------------------------------------------------------------------
-
-# For services that don't need compatibility with legacy clients (mostly WinXP),
-# but still need to support a wide range of clients, this configuration is
-# recommended.
-#
-# Protect against the BEAST and POODLE attacks by not using SSLv3 at all.
-# If you need to support older browsers (IE6) you may need to add SSLv3 to the
-# list of protocols.
-#
-# Based on intermediate profile recommended by Mozilla.
-# https://mozilla.github.io/server-side-tls/ssl-config-generator/
-#
-# (1) Diffie-Hellman parameter for DHE cipher suites
-#     A 4096 bits or more DH parameter is recommended.
-#     (!) A DH parameter generation is required to enable this directive.
-#         openssl dhparam -out /etc/nginx/dhparam.pem 4096
-#     https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
-#
-# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
-# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
-
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
-ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
-
-# (1)
-# ssl_dhparam /etc/nginx/dhparam.pem;

h5bp/tls/policy_balanced.conf

@@ -1,13 +1,9 @@
 # ----------------------------------------------------------------------
-# | SSL policy - Intermediate                                          |
+# | SSL policy - Balanced                                              |
 # ----------------------------------------------------------------------
 
-# For services that don't need backward compatibility, the parameters below
-# provide a higher level of security.
-#
-# (!) This policy enforces a mildly strong SSL configuration, which may raise
-#     errors with old clients.
-#     If a more compatible profile is required, use the "deprecated" policy.
+# For services that need to support a wide range of clients, this configuration
+# is raisonnably balanced.
 #
 # (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
 #     and potentially vulnerable but are required to support Microsoft Edge

h5bp/tls/policy_strict.conf

@@ -1,9 +1,13 @@
 # ----------------------------------------------------------------------
-# | SSL policy - Modern                                                |
+# | SSL policy - Strict                                                |
 # ----------------------------------------------------------------------
 
-# For services that want to be on the bleeding edge, the parameters below
-# sacrifice compatibility for the highest level of security and performance.
+# For services that don't need backward compatibility, the parameters below
+# provide the highest level of security and performance.
+#
+# (!) This policy enforces a strong TLS configuration, which may raise
+#     errors with old clients.
+#     If a more compatible profile is required, use the "balanced" policy.
 #
 # (!) TLSv1.3 and its 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
 #     to be installed.

test/vhosts/default.conf

@@ -14,9 +14,9 @@ server {
 
   server_name _;
 
-  include h5bp/ssl/ssl_engine.conf;
-  include h5bp/ssl/certificate_files.conf;
-  include h5bp/ssl/policy_intermediate.conf;
+  include h5bp/tls/ssl_engine.conf;
+  include h5bp/tls/certificate_files.conf;
+  include h5bp/tls/policy_balanced.conf;
 
   return 444;
 }

test/vhosts/secure.server.localhost.conf

@@ -4,9 +4,9 @@ server {
 
   server_name www.secure.server.localhost;
 
-  include h5bp/ssl/ssl_engine.conf;
-  include h5bp/ssl/certificate_files.conf;
-  include h5bp/ssl/policy_intermediate.conf;
+  include h5bp/tls/ssl_engine.conf;
+  include h5bp/tls/certificate_files.conf;
+  include h5bp/tls/policy_balanced.conf;
 
   return 301 $scheme://secure.server.localhost$request_uri;
 }
@@ -17,9 +17,9 @@ server {
 
   server_name secure.server.localhost;
 
-  include h5bp/ssl/ssl_engine.conf;
-  include h5bp/ssl/certificate_files.conf;
-  include h5bp/ssl/policy_intermediate.conf;
+  include h5bp/tls/ssl_engine.conf;
+  include h5bp/tls/certificate_files.conf;
+  include h5bp/tls/policy_balanced.conf;
 
   root /var/www/server.localhost;