From c61bf6be45c087c9083601662de8c37dfd061130 Mon Sep 17 00:00:00 2001
From: bnewbold <bnewbold@robocracy.org>
Date: Fri, 20 Feb 2015 08:24:20 +0900
Subject: more SSL notes

---
 software/ssl.page | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/software/ssl.page b/software/ssl.page
index 88834e8..04129a4 100644
--- a/software/ssl.page
+++ b/software/ssl.page
@@ -115,3 +115,25 @@ gandi.net: used by debian.org
 
 https://wiki.cacert.org/FAQ/ImportRootCert#Debian
 https://wiki.cacert.org/FAQ/BrowserClients#Linux
+
+### nginx Config
+
+    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE  
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 5m;
+
+Then also:
+
+    openssl dhparam -out /etc/ssl/dhparam.pem 2048
+    chmod 600 dhparam.pem
+
+And add:
+
+    ssl_dhparam /etc/ssl/dhparam.pem;
+
+For old servers consider:
+
+    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
+
-- 
cgit v1.2.3