From 3feae2e87768c05d7c74e1ca3a2abb75fb10c6dd Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alexandre.aubin@cern.ch>
Date: Wed, 2 May 2018 19:43:33 +0200
Subject: [PATCH] Some ecdh_curve don't work on jessie

---
 data/templates/nginx/plain/yunohost_admin.conf | 7 ++++++-
 data/templates/nginx/server.tpl.conf           | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/data/templates/nginx/plain/yunohost_admin.conf b/data/templates/nginx/plain/yunohost_admin.conf
index b1fb0d2ef..dff6d0636 100644
--- a/data/templates/nginx/plain/yunohost_admin.conf
+++ b/data/templates/nginx/plain/yunohost_admin.conf
@@ -19,8 +19,13 @@ server {
     ssl_certificate_key /etc/yunohost/certs/yunohost.org/key.pem;
     ssl_session_timeout 5m;
     ssl_session_cache shared:SSL:50m;
+
     # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
-    ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
+    # (this doesn't work on jessie though ...?)
+    # ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
+
+    # As suggested by https://cipherli.st/
+    ssl_ecdh_curve secp384r1;
 
     ssl_prefer_server_ciphers on;
 
diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf
index df722b526..f55df65f1 100644
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@@ -24,8 +24,13 @@ server {
     ssl_certificate_key /etc/yunohost/certs/{{ domain }}/key.pem;
     ssl_session_timeout 5m;
     ssl_session_cache shared:SSL:50m;
+
     # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
-    ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
+    # (this doesn't work on jessie though ...?)
+    # ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
+
+    # As suggested by https://cipherli.st/
+    ssl_ecdh_curve secp384r1;
 
     ssl_prefer_server_ciphers on;