From f851817bbf3c94cca638dd9b849bfb23080cad46 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Sun, 12 Mar 2017 20:58:45 -0400
Subject: [PATCH] Updating ciphers with recommendation from mozilla with modern
 compatibility

---
 data/templates/nginx/server.tpl.conf | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf
index 45961633f..8466eeef3 100644
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@@ -24,16 +24,15 @@ server {
     ssl_certificate_key /etc/yunohost/certs/{{ domain }}/key.pem;
     ssl_session_timeout 5m;
     ssl_session_cache shared:SSL:50m;
+
+    # Ciphers with modern configuration
+    # Source : https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
     ssl_prefer_server_ciphers on;
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
 
     add_header Strict-Transport-Security "max-age=31536000;";
 
-    # Uncomment the following directive after DH generation
-    # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
-    #ssl_dhparam /etc/ssl/private/dh2048.pem;
-
     access_by_lua_file /usr/share/ssowat/access.lua;
 
     include conf.d/{{ domain }}.d/*.conf;