Add DH parameters note to policy_intermediate.conf (#212)

For DHE ciphersuites, adding a diffie hellman parameter is a good practice. Only the intermediate policy uses DHE ciphersuites.
This commit is contained in:
Ewout van Mansom 2018-12-02 17:05:11 +01:00 committed by Léo Colombaro
parent 86d8ed33ca
commit df23e0ba8c
1 changed files with 9 additions and 0 deletions

View File

@ -13,9 +13,18 @@
# Based on intermediate profile recommended by Mozilla.
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
#
# (1) Diffie-Hellman parameter for DHE cipher suites
# A 4096 bits or more DH parameter is recommended.
# (!) A DH parameter generation is required to enable this directive.
# openssl dhparam -out /etc/nginx/dhparam.pem 4096
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
# (1)
# ssl_dhparam /etc/nginx/dhparam.pem;