roles/nginx: disable nginx ssl_prefer_server_ciphers

This is apparently the default and recommended by Mozilla's server-
side SSL configurator also recommends. This lets the client choose
the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are
not currently known to be dangerous).
This commit is contained in:
Alan Orth 2025-03-29 22:33:38 +03:00
parent 4bae942585
commit 9a500ebc0d
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9

View File

@ -29,7 +29,7 @@
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on;
ssl_prefer_server_ciphers off;
{# OSCP stapling only works with real certs #}
{% if use_letsencrypt == true or item.tls_certificate_path %}