Update nginx cipher suite and TLS protocols

Use latest Mozilla "intermediate" TLS settings. This configuration works on (at least) Ubuntu 18.04 and Debian 10. See: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate&openssl-version=1.1.1
2019-07-23 17:53:22 +03:00 · 2019-07-23 17:53:22 +03:00 · 2d98d70e02
parent 2fadb9029a
commit 2d98d70e02
2 changed files with 2 additions and 2 deletions
--- a/group_vars/all
+++ b/group_vars/all
@ -1,6 +1,6 @@
 ---
 # file: group_vars/all

-tls_cipher_suite: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"
+tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"

 # vim: set ts=2 sw=2:
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -14,7 +14,7 @@ nginx_ssl_session_cache: shared:SSL:10m
 # 1400 bytes to fit in one MTU (default is 16k!)
 nginx_ssl_buffer_size: 1400
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
-nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
+nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'

 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling