959839d81f
TLSv1.0 & TLSv1.1 suffer from [POODLE](blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) and other [padding oracle attack](blog.cloudflare.com/padding-oracles-and-the-decline-of-cbc-mode-ciphersuites) You need to support only TLSv1.2 to expect closing those weakness (and use only AEAD cipher suite in case of padding oracle). The same, non PFS cipher suite is not at all recommended (see heartbleed effect). DHE support [is dropped](digicert.com/blog/google-plans-to-deprecate-dhe-cipher-suites) from any decent user agent and can lead to [mitm attack](media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#t=1357) (arround ~25min in the video) with only one side supporting weak cipher suite. 3DES is deprecated and suffer from [sweet32](sweet32.info) So I recommend using only the `EECDH+CHACHA20:EECDH+AES` cipher suite, which has [quite good compatibility](cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES) and a very better security than the actual cipher suite. Fix #201 Fix #183 Fix #190 Prepare #180 Co-authored-by: aeris <aeris@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| cross-origin | ||
| errors | ||
| internet_explorer | ||
| location | ||
| security | ||
| ssl | ||
| web_performance | ||
| README.md | ||
| basic.conf | ||
README.md
Component-config files
Each of these files is intended to be included in a server block. Not all of
the files here are used - they are available to be included as required. The
basic.conf file includes the rules which are recommended to always be
defined.