commit: 51f6e1e4c920c494b0565b893a99540430139767
parent aa9c49838c8eb6ad91bc278c91848cd94cfebe8c
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Thu, 16 Feb 2017 15:52:22 +0100
antisèche-nginx: Simplification et suppression de DHE
Diffstat:
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/antisèche-nginx.shtml b/antisèche-nginx.shtml
@@ -36,9 +36,9 @@ server {
ssl_certificate_key ssl/hacktivis.me.key; # pour RSA mettre du 3072 bits minimum
# Merci <a href="https://blog.imirhil.fr/cryptcheck-verifiez-vos-implementations-de-tls.html">aeris</a> ;3
- ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM:DHE+CHACHA20:DHE+AESGCM'; # or EECDH+CHACHA20:EECDH+AES:DHE+CHACHA20:DHE+AES:+SHA
+ ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM'; # or EECDH+CHACHA20:EECDH+AES:DHE+CHACHA20:DHE+AES:+SHA
ssl_prefer_server_ciphers on; # Parceque les clients on une config TLS toute pouritte
- ssl_protocols +TLSv1.2 -TLSv1.1 -TLSv1 -SSLv3 -SSLv2; # POODLE sur ≤TLS1.1
+ ssl_protocols TLSv1.2; # POODLE sur ≤TLS1.1
ssl_dhparam ssl/dhparam.pem; # “openssl dhparam -out dhparam.pem 2048” (4096 est <strong>très</strong> long)
ssl_dhparam secp384r1:secp521r1; # if("failed: unknown curve"): ssl_dhparam secp384r1;
ssl_stapling on;
