Follow Qualys's SSL labs recommendation for HTTPS.

(Disable SSLv3 and extend STS' max age to 180 days.) See https://www.ssllabs.com/ssltest/ .
author: Guilhem Moulin <guilhem@fripost.org> 2014-04-16 21:28:33 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:51:45 +0200
commit: ddb49f59d2ac511a6bf252d4a6f0a05f8ed95c17 (patch)
tree: 47d32410d83748b622ae5cdef2943fa1b7116c76 /roles/common-web
parent: 0cc50082b05575597d72c08bb6f7e8f9145f8c68 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/roles/common-web/files/etc/nginx/ssl/config b/roles/common-web/files/etc/nginx/ssl/config
index 863961b..6f0546b 100644
--- a/roles/common-web/files/etc/nginx/ssl/config
+++ b/roles/common-web/files/etc/nginx/ssl/config
@@ -10,10 +10,10 @@ ssl_session_cache 			shared:SSL:5m;
 # The alternative would be to reject BEAST-vulnerable ciphers from TLSv1
 # in favor of RC4, but that's not satisfactory either since RC4 has
 # other weaknesses.
-ssl_protocols 				SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols 				TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 				HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
 ssl_prefer_server_ciphers 	on;
 
 # Strict Transport Security header for enhanced security. See
 # http://www.chromium.org/sts.
-add_header Strict-Transport-Security "max-age=12960000";
+add_header Strict-Transport-Security "max-age=15552000";
author	Guilhem Moulin <guilhem@fripost.org>	2014-04-16 21:28:33 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:51:45 +0200
commit	ddb49f59d2ac511a6bf252d4a6f0a05f8ed95c17 (patch)
tree	47d32410d83748b622ae5cdef2943fa1b7116c76 /roles/common-web
parent	0cc50082b05575597d72c08bb6f7e8f9145f8c68 (diff)