updated the ssl_protocol and cipher config

atomic111 · atomic111 · commit 8b3a0f27875a · 2017-07-04T22:36:38.000+02:00
Signed-off-by: Patrick Münch &lt;patrick.muench1111@gmail.com&gt;
diff --git a/attributes/hardening.rb b/attributes/hardening.rb
@@ -93,7 +93,8 @@
 flags.push '--without-http_ssi_module'       unless node['nginx-hardening']['source']['http_ssi_module']
 
 default['nginx']['source']['default_configure_flags'] = flags
-default['nginx-hardening']['options']['ssl_protocols'] = 'TLSv1 TLSv1.1 TLSv1.2'
-default['nginx-hardening']['options']['ssl_ciphers'] = "'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'"
+default['nginx-hardening']['options']['ssl_protocols'] = 'TLSv1.2'
+default['nginx-hardening']['options']['ssl_ciphers'] = "'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'"
 default['nginx-hardening']['options']['ssl_prefer_server_ciphers'] = 'on'
+default['nginx-hardening']['options']['ssl_session_tickets'] = 'off'
 default['nginx-hardening']['dh-size'] = 2048
