From 5508e12f9131cf2032e4ffe55d14cf47d7ef098b Mon Sep 17 00:00:00 2001
From: Mark Heiges <mheiges@uga.edu>
Date: Thu, 15 Sep 2016 10:59:40 -0400
Subject: [PATCH] change nginx ssl_ciphers and ssl_protocols to "Modern
 compatibility"

---
 roles/easyredmine/templates/nginx.conf.j2 | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/roles/easyredmine/templates/nginx.conf.j2 b/roles/easyredmine/templates/nginx.conf.j2
index d697210..aab9c95 100644
--- a/roles/easyredmine/templates/nginx.conf.j2
+++ b/roles/easyredmine/templates/nginx.conf.j2
@@ -37,8 +37,9 @@ http {
     # for more information.
     include /etc/nginx/conf.d/*.conf;
 
-    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!DSS:!DH+3DES;
-    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+    # https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
+    ssl_protocols TLSv1.2;
     ssl_prefer_server_ciphers on;
 
     # https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score