logo

blog

Unnamed repository; edit this file 'description' to name the repository.
commit 849f38f0340ad2a79b22330b357f913457d826dc
parent 4285e65ff43dae8d27ab5c67a59bce693cc5c50a
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Thu, 16 Feb 2017 15:52:22 +0100

antisèche-nginx: Simplification et suppression de DHE

Diffstat:
antisèche-nginx.shtml | 4++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/antisèche-nginx.shtml b/antisèche-nginx.shtml @@ -36,9 +36,9 @@ server { ssl_certificate_key ssl/hacktivis.me.key; # pour RSA mettre du 3072 bits minimum # Merci <a href="https://blog.imirhil.fr/cryptcheck-verifiez-vos-implementations-de-tls.html">aeris</a> ;3 - ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM:DHE+CHACHA20:DHE+AESGCM'; # or EECDH+CHACHA20:EECDH+AES:DHE+CHACHA20:DHE+AES:+SHA + ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM'; # or EECDH+CHACHA20:EECDH+AES:DHE+CHACHA20:DHE+AES:+SHA ssl_prefer_server_ciphers on; # Parceque les clients on une config TLS toute pouritte - ssl_protocols +TLSv1.2 -TLSv1.1 -TLSv1 -SSLv3 -SSLv2; # POODLE sur ≤TLS1.1 + ssl_protocols TLSv1.2; # POODLE sur ≤TLS1.1 ssl_dhparam ssl/dhparam.pem; # “openssl dhparam -out dhparam.pem 2048” (4096 est <strong>très</strong> long) ssl_dhparam secp384r1:secp521r1; # if("failed: unknown curve"): ssl_dhparam secp384r1; ssl_stapling on;