# ---------------------------------------------------------------------- # | SSL policy - Deprecated | # ---------------------------------------------------------------------- # For services that don't need compatibility with legacy clients # (mostly WinXP), but still need to support a wide range of clients, # this configuration is recommended. # # Protect against the BEAST and POODLE attacks by not using SSLv3 at all. # If you need to support older browsers (IE6) you may need to add # SSLv3 to the list of protocols. # # Based on intermediate profile recommended by Mozilla. # https://mozilla.github.io/server-side-tls/ssl-config-generator/ # # (1) Diffie-Hellman parameter for DHE cipher suites # A 4096 bits or more DH parameter is recommended. # (!) A DH parameter generation is required to enable this directive. # openssl dhparam -out /etc/nginx/dhparam.pem 4096 # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam # # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations # https://nginx.org/en/docs/http/ngx_http_ssl_module.html ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA; ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; # (1) # ssl_dhparam /etc/nginx/dhparam.pem;