From 9a500ebc0d44c15dac278f610f84d32c02d21f4d Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sat, 29 Mar 2025 22:33:38 +0300
Subject: [PATCH] roles/nginx: disable nginx ssl_prefer_server_ciphers

This is apparently the default and recommended by Mozilla's server-
side SSL configurator also recommends. This lets the client choose
the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are
not currently known to be dangerous).
---
 roles/nginx/templates/https.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2
index efd215c..07b8d80 100644
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@@ -29,7 +29,7 @@
     ssl_protocols {{ nginx_ssl_protocols }};
     ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
     ssl_ciphers "{{ tls_cipher_suite }}";
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;
 
     {# OSCP stapling only works with real certs #}
     {% if use_letsencrypt == true or item.tls_certificate_path %}