From ddb49f59d2ac511a6bf252d4a6f0a05f8ed95c17 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 16 Apr 2014 21:28:33 +0200 Subject: Follow Qualys's SSL labs recommendation for HTTPS. (Disable SSLv3 and extend STS' max age to 180 days.) See https://www.ssllabs.com/ssltest/ . --- roles/common-web/files/etc/nginx/ssl/config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'roles') diff --git a/roles/common-web/files/etc/nginx/ssl/config b/roles/common-web/files/etc/nginx/ssl/config index 863961b..6f0546b 100644 --- a/roles/common-web/files/etc/nginx/ssl/config +++ b/roles/common-web/files/etc/nginx/ssl/config @@ -10,10 +10,10 @@ ssl_session_cache shared:SSL:5m; # The alternative would be to reject BEAST-vulnerable ciphers from TLSv1 # in favor of RC4, but that's not satisfactory either since RC4 has # other weaknesses. -ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; ssl_prefer_server_ciphers on; # Strict Transport Security header for enhanced security. See # http://www.chromium.org/sts. -add_header Strict-Transport-Security "max-age=12960000"; +add_header Strict-Transport-Security "max-age=15552000"; -- cgit v1.2.3