From 11ad127c68216734c406c393a361f2231e3a5a15 Mon Sep 17 00:00:00 2001
From: Thomas Willingham <beardyunixer@beardyunixer.com>
Date: Thu, 16 Oct 2014 01:57:04 +0100
Subject: Let's not play security expert.  Use Mozillas recommended server
 config, even if it's ridiculously verbose.  Reasoning - they make the
 browser, so if they've got it wrong, you're buggered anyway.

---
 doc/install/sample-nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'doc/install')

diff --git a/doc/install/sample-nginx.conf b/doc/install/sample-nginx.conf
index dd3b63d3b..f533d8ee0 100644
--- a/doc/install/sample-nginx.conf
+++ b/doc/install/sample-nginx.conf
@@ -56,7 +56,7 @@ server {
   ssl_certificate_key /etc/nginx/ssl/example.net.key;
   ssl_session_timeout 5m;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
+  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
   ssl_prefer_server_ciphers on;
 
   fastcgi_param HTTPS on;
-- 
cgit v1.2.3