From ccc303f5974ee79bb9561590de50d20602330393 Mon Sep 17 00:00:00 2001 From: Asif Bacchus Date: Tue, 5 Jan 2021 17:12:00 -0700 Subject: [PATCH] refactor(CONFIG): update SSL configurations --- .../mozIntermediate_ssl.conf.disabled | 17 ++++++++--------- .../ssl-config/mozModern_ssl.conf.disabled | 14 ++++++-------- 2 files changed, 14 insertions(+), 17 deletions(-) diff --git a/build/config/ssl-config/mozIntermediate_ssl.conf.disabled b/build/config/ssl-config/mozIntermediate_ssl.conf.disabled index a1d2ea4..e07bae9 100644 --- a/build/config/ssl-config/mozIntermediate_ssl.conf.disabled +++ b/build/config/ssl-config/mozIntermediate_ssl.conf.disabled @@ -1,10 +1,8 @@ -####### -### NGINX SSL configuration -### Generated using the Mozilla SSL Configuration Generator -### (https://ssl-config.mozilla.org) -### 'Intermediate' profile for NGINX 1.17 with OpenSSL 1.1.1c HSTS optional -### Last generated: October 16, 2019 -####### +# +# NGINX SSL configuration (https://ssl-config.mozilla.org) +# 'Intermediate' profile for NGINX (TLS 1.2+) +# Generated: January 5, 2021 +# # SSL certificates should be defined in the relevant server block @@ -15,7 +13,8 @@ ssl_session_tickets off; # SSL protocols and ciphers ssl_protocols TLSv1.2 TLSv1.3; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;ssl_prefer_server_ciphers off; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; # Diffie-Hellman parameter for DHE cipher suites, using 4096 bits ssl_dhparam /certs/dhparam.pem; @@ -31,4 +30,4 @@ ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /certs/chain.pem; -# resolver should be specified in nginx.conf or in networking configuration +# resolver should be specified in nginx.conf or in networking configuration \ No newline at end of file diff --git a/build/config/ssl-config/mozModern_ssl.conf.disabled b/build/config/ssl-config/mozModern_ssl.conf.disabled index f686224..5e820b7 100644 --- a/build/config/ssl-config/mozModern_ssl.conf.disabled +++ b/build/config/ssl-config/mozModern_ssl.conf.disabled @@ -1,10 +1,8 @@ -####### -### NGINX SSL configuration -### Generated using the Mozilla SSL Configuration Generator -### (https://ssl-config.mozilla.org) -### 'Modern' profile for NGINX 1.17 with OpenSSL 1.1.1c HSTS optional -### Last generated: October 16, 2019 -####### +# +# NGINX SSL configuration (https://ssl-config.mozilla.org) +# 'Modern' profile for NGINX (TLS 1.3 only) +# Generated: January 5, 2021 +# # SSL certificates should be defined in the relevant server block @@ -28,4 +26,4 @@ ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /certs/chain.pem; -# resolver should be specified in nginx.conf or in networking configuration +# resolver should be specified in nginx.conf or in networking configuration \ No newline at end of file