Add DH parameters note to policy_intermediate.conf (#212)
For DHE ciphersuites, adding a diffie hellman parameter is a good practice. Only the intermediate policy uses DHE ciphersuites.
This commit is contained in:
parent
86d8ed33ca
commit
df23e0ba8c
|
@ -13,9 +13,18 @@
|
|||
# Based on intermediate profile recommended by Mozilla.
|
||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||
#
|
||||
# (1) Diffie-Hellman parameter for DHE cipher suites
|
||||
# A 4096 bits or more DH parameter is recommended.
|
||||
# (!) A DH parameter generation is required to enable this directive.
|
||||
# openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
||||
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
|
||||
#
|
||||
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||||
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
|
||||
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
||||
|
||||
# (1)
|
||||
# ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
|
|
Loading…
Reference in New Issue