Exclude certain blacklisted ciphers from Nginx
This commit is contained in:
parent
9be1ece381
commit
3dd28fa028
|
@ -13,6 +13,17 @@ server {
|
|||
# of common primes
|
||||
ssl_dhparam /etc/nginx/dhparams.pem;
|
||||
|
||||
# Restrict supported ciphers to prevent certain browsers from refusing to
|
||||
# connect because we are offering blacklisted ciphers. This configuration has
|
||||
# been generated by Mozilla's SSL Configuration Generator on the
|
||||
# intermediate profile and can be accessed at:
|
||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.1&openssl=1.0.1e&hsts=no&profile=intermediate
|
||||
# More information about blacklisted ciphers can be found at:
|
||||
# http://security.stackexchange.com/questions/126775/understanding-blacklisted-ciphers-for-http2
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# Enable OCSP stapling which allows clients to verify that our certificate
|
||||
# is not revoked without contacting the Certificate Authority by appending a
|
||||
# CA-signed promise, that it's still valid, to the TLS handshake response.
|
||||
|
|
Loading…
Reference in New Issue