use recommendation from raymii.org

2016-04-28 09:59:03 -07:00
parent 5945bce00e
commit 4a04e0b52f
1 changed files with 2 additions and 1 deletions
--- a/setup/start/nginx/appconfig.ejs
+++ b/setup/start/nginx/appconfig.ejs
@@ -18,9 +18,10 @@ server {
    # https://bettercrypto.org/static/applied-crypto-hardening.pdf
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # https://cipherli.st/
+    # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
-    ssl_ciphers 'AES128+EECDH:AES128+EDH';
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

    proxy_http_version 1.1;