diff options
Diffstat (limited to 'lib/support/nginx/registry-ssl')
-rw-r--r-- | lib/support/nginx/registry-ssl | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/lib/support/nginx/registry-ssl b/lib/support/nginx/registry-ssl index be16037629b..50ecb855e24 100644 --- a/lib/support/nginx/registry-ssl +++ b/lib/support/nginx/registry-ssl @@ -34,15 +34,12 @@ server { ssl_session_cache shared:SSL:10m; ssl_session_tickets off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + # These settings are in line with the modern settings from https://ssl-config.mozilla.org/ + # and are supported by all still-supported browsers since 2019. If you have specific needs + # for older settings, please consult the intermediate settings there. + ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; - ## [Optional] Generate a stronger DHE parameter: - ## sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 - ## - # ssl_dhparam /etc/ssl/certs/dhparam.pem; - ## [Optional] Enable HTTP Strict Transport Security # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; |