# ----------------------------------------------------------------------
# | SSL policy - Balanced                                              |
# ----------------------------------------------------------------------

# For services that need to support a wide range of clients, this configuration
# is reasonably balanced.
#
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
#     and potentially vulnerable but are required to support Microsoft Edge
#     and Safari.
#     https://safecurves.cr.yp.to/
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html

ssl_protocols TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES;

# (1)
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;