mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-26 02:57:04 +00:00
nginx-ssl.conf changes were partially incorrect, partial revert of 834c42bc50
My own /etc/nginx/nginx.conf was messed up, so what I thought were Ubuntu 14.04 defaults weren't, and we lost the ssl_protocols and ssl_prefer_server_ciphers settings. This puts those back. https://discourse.mailinabox.email/t/dev-master-version-reported-as-poodle-attack-vulnerable-by-ssllabs/898
This commit is contained in:
parent
3b91bc2c0a
commit
f046031b26
@ -26,13 +26,13 @@
|
|||||||
# but with a small exception (DES-CBC3-SHA) for IE8/XP users.
|
# but with a small exception (DES-CBC3-SHA) for IE8/XP users.
|
||||||
#
|
#
|
||||||
# Reference client: https://www.ssllabs.com/ssltest/analyze.html
|
# Reference client: https://www.ssllabs.com/ssltest/analyze.html
|
||||||
# ssl_prefer_server_ciphers on; # This is the default in Ubuntu 14.04/nginx 1.4.6 and it is an error to repeat it at the http level.
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
|
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
|
||||||
|
|
||||||
# Cut out (the old, broken) SSLv3 entirely.
|
# Cut out (the old, broken) SSLv3 entirely.
|
||||||
# This **excludes IE6 users** and (apparently) Yandexbot.
|
# This **excludes IE6 users** and (apparently) Yandexbot.
|
||||||
# Just comment out if you need to support IE6, bless your soul.
|
# Just comment out if you need to support IE6, bless your soul.
|
||||||
#ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # This is the default in Ubuntu 14.04/nginx 1.4.6 and it is an error to repeat it at the http level.
|
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
|
||||||
|
|
||||||
# Turn on session resumption, using a 10 min cache shared across nginx processes,
|
# Turn on session resumption, using a 10 min cache shared across nginx processes,
|
||||||
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
|
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
|
||||||
|
Loading…
Reference in New Issue
Block a user