Exclude certain blacklisted ciphers from Nginx

2017-02-06 15:32:37 +01:00 · 2017-02-06 15:32:37 +01:00 · 3dd28fa028
parent 9be1ece381
commit 3dd28fa028
1 changed files with 11 additions and 0 deletions
--- a/.infra/files/nginx.conf
+++ b/.infra/files/nginx.conf
@ -13,6 +13,17 @@ server {
    # of common primes
    ssl_dhparam /etc/nginx/dhparams.pem;

+    # Restrict supported ciphers to prevent certain browsers from refusing to
+    # connect because we are offering blacklisted ciphers. This configuration has
+    # been generated by Mozilla's SSL Configuration Generator on the
+    # intermediate profile and can be accessed at:
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.1&openssl=1.0.1e&hsts=no&profile=intermediate
+    # More information about blacklisted ciphers can be found at:
+    # http://security.stackexchange.com/questions/126775/understanding-blacklisted-ciphers-for-http2
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+    ssl_prefer_server_ciphers on;
+
    # Enable OCSP stapling which allows clients to verify that our certificate
    # is not revoked without contacting the Certificate Authority by appending a
    # CA-signed promise, that it's still valid, to the TLS handshake response.