roles/nginx: disable nginx ssl_prefer_server_ciphers

This is apparently the default and recommended by Mozilla's server- side SSL configurator also recommends. This lets the client choose the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are not currently known to be dangerous).
2025-03-29 22:33:38 +03:00 · 2025-03-29 22:33:38 +03:00 · 9a500ebc0d
commit 9a500ebc0d
parent 4bae942585
1 changed files with 1 additions and 1 deletions
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@ -29,7 +29,7 @@
    ssl_protocols {{ nginx_ssl_protocols }};
    ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
    ssl_ciphers "{{ tls_cipher_suite }}";
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;

    {# OSCP stapling only works with real certs #}
    {% if use_letsencrypt == true or item.tls_certificate_path %}