From f046031b26a10127604577a78c8a455ef7aa31bc Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 24 Oct 2015 11:36:18 +0000 Subject: [PATCH] nginx-ssl.conf changes were partially incorrect, partial revert of 834c42bc503b3430eb8100343581ed3be396c41b My own /etc/nginx/nginx.conf was messed up, so what I thought were Ubuntu 14.04 defaults weren't, and we lost the ssl_protocols and ssl_prefer_server_ciphers settings. This puts those back. https://discourse.mailinabox.email/t/dev-master-version-reported-as-poodle-attack-vulnerable-by-ssllabs/898 --- conf/nginx-ssl.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf index 21cdf419..d6d3eb10 100644 --- a/conf/nginx-ssl.conf +++ b/conf/nginx-ssl.conf @@ -26,13 +26,13 @@ # but with a small exception (DES-CBC3-SHA) for IE8/XP users. # # Reference client: https://www.ssllabs.com/ssltest/analyze.html -# ssl_prefer_server_ciphers on; # This is the default in Ubuntu 14.04/nginx 1.4.6 and it is an error to repeat it at the http level. +ssl_prefer_server_ciphers on; ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; # Cut out (the old, broken) SSLv3 entirely. # This **excludes IE6 users** and (apparently) Yandexbot. # Just comment out if you need to support IE6, bless your soul. -#ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # This is the default in Ubuntu 14.04/nginx 1.4.6 and it is an error to repeat it at the http level. +ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Turn on session resumption, using a 10 min cache shared across nginx processes, # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html