update nginx cipher list to Mozilla's current intermediate ciphers and update HSTS header to be six months

* The Mozilla recommendations must have been updated in the last few years.
* The HSTS header must have >=6 months to get an A+ at ssllabs.com/ssltest.

CHANGELOG.md

@@ -1,6 +1,14 @@
 CHANGELOG
 =========
 
+In Development
+--------------
+
+Web:
+
+* Updated cipher list to Mozilla's current intermediate recommendation.
+* Updated HSTS header to use longer six month duration.
+
 v0.24 (October 3, 2017)
 -----------------------
 

conf/nginx-ssl.conf

@@ -1,5 +1,5 @@
-# from: https://gist.github.com/konklone/6532544
+# from https://gist.github.com/konklone/6532544 and https://mozilla.github.io/server-side-tls/ssl-config-generator/
-###################################################################################
+###################################################################################################################
 
 # Basically the nginx configuration I use at konklone.com. 
 # I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
@@ -27,17 +27,17 @@
 # 
 # Reference client: https://www.ssllabs.com/ssltest/analyze.html
 ssl_prefer_server_ciphers on;
-ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 
 # Cut out (the old, broken) SSLv3 entirely. 
 # This **excludes IE6 users** and (apparently) Yandexbot.
 # Just comment out if you need to support IE6, bless your soul.
 ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 
-# Turn on session resumption, using a 10 min cache shared across nginx processes,
+# Turn on session resumption, using a cache shared across nginx processes,
 # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
-ssl_session_cache   shared:SSL:10m;
+ssl_session_cache shared:SSL:50m;
-ssl_session_timeout 10m;
+ssl_session_timeout 1d;
 #keepalive_timeout   70; # in Ubuntu 14.04/nginx 1.4.6 the default is 65, so plenty good
 
 # Buffer size of 1400 bytes fits in one MTU.

management/web_update.py

@@ -158,9 +158,9 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 
 	# Add the HSTS header.
 	if hsts == "yes":
-		nginx_conf_extra += "add_header Strict-Transport-Security max-age=31536000;\n"
+		nginx_conf_extra += "add_header Strict-Transport-Security max-age=15768000;\n"
 	elif hsts == "preload":
-		nginx_conf_extra += "add_header Strict-Transport-Security \"max-age=10886400; includeSubDomains; preload\";\n"
+		nginx_conf_extra += "add_header Strict-Transport-Security \"max-age=15768000; includeSubDomains; preload\";\n"
 
 	# Add in any user customizations in the includes/ folder.
 	nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf")