roles/nginx: disable nginx ssl_prefer_server_ciphers
This is apparently the default and recommended by Mozilla's server- side SSL configurator also recommends. This lets the client choose the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are not currently known to be dangerous).
This commit is contained in:
parent
4bae942585
commit
9a500ebc0d
@ -29,7 +29,7 @@
|
||||
ssl_protocols {{ nginx_ssl_protocols }};
|
||||
ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
|
||||
ssl_ciphers "{{ tls_cipher_suite }}";
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
{# OSCP stapling only works with real certs #}
|
||||
{% if use_letsencrypt == true or item.tls_certificate_path %}
|
||||
|
Loading…
x
Reference in New Issue
Block a user