From c61bf6be45c087c9083601662de8c37dfd061130 Mon Sep 17 00:00:00 2001 From: bnewbold Date: Fri, 20 Feb 2015 08:24:20 +0900 Subject: more SSL notes --- software/ssl.page | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'software') diff --git a/software/ssl.page b/software/ssl.page index 88834e8..04129a4 100644 --- a/software/ssl.page +++ b/software/ssl.page @@ -115,3 +115,25 @@ gandi.net: used by debian.org https://wiki.cacert.org/FAQ/ImportRootCert#Debian https://wiki.cacert.org/FAQ/BrowserClients#Linux + +### nginx Config + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + +Then also: + + openssl dhparam -out /etc/ssl/dhparam.pem 2048 + chmod 600 dhparam.pem + +And add: + + ssl_dhparam /etc/ssl/dhparam.pem; + +For old servers consider: + + ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; + -- cgit v1.2.3