From a6010124cd5ed7bb29ef881372a39f3688d99a58 Mon Sep 17 00:00:00 2001 From: carose Date: Thu, 28 Sep 2017 16:05:38 +0100 Subject: [PATCH] Enhanced security/SSL config Enabled session resumption / tweaked config to improve HTTPS performance Enhanced ciphers added for forward secrecy and compatibility --- scripts/nginx-ssl-snippet.conf | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/scripts/nginx-ssl-snippet.conf b/scripts/nginx-ssl-snippet.conf index e127722..f097659 100644 --- a/scripts/nginx-ssl-snippet.conf +++ b/scripts/nginx-ssl-snippet.conf @@ -3,10 +3,18 @@ ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; -ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + +# ciphers chosen for forward secrecy and compatibility +# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html +ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_ecdh_curve secp384r1; -ssl_session_cache shared:SSL:10m; + +# enable session resumption to improve https performance +# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html +ssl_session_cache shared:SSL:50m; +ssl_session_timeout 1d; ssl_session_tickets off; + ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s;