# ---------------------------------------------------------------------- # | SSL policy - Intermediate | # ---------------------------------------------------------------------- # For services that don't need backward compatibility, the parameters # below provide a higher level of security. # # (!) This policy enforces a strong SSL configuration, which may raise # errors with old clients. # If a more compatible profile is required, use the intermediate policy. # # (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known # to be weak and potentially vulnerable but are required to support # Microsoft Edge and Safari. # https://safecurves.cr.yp.to/ # # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations # https://nginx.org/en/docs/http/ngx_http_ssl_module.html ssl_protocols TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+AES; # (1) ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;