summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorEmily <vcs@emily.moe>2020-03-06 12:53:37 +0000
committerEmily <vcs@emily.moe>2020-03-06 13:08:56 +0000
commit4ed98d69ed434451c597168e77af8a12d69beaae (patch)
tree8ef3e8e3fa0dc5bd4fa8b41d0309a174a916308a /nixos
parent82b54d490663b6d87b7b34b9cfc0985df8b49c7d (diff)
downloadnixpkgs-4ed98d69ed434451c597168e77af8a12d69beaae.tar
nixpkgs-4ed98d69ed434451c597168e77af8a12d69beaae.tar.gz
nixpkgs-4ed98d69ed434451c597168e77af8a12d69beaae.tar.bz2
nixpkgs-4ed98d69ed434451c597168e77af8a12d69beaae.tar.lz
nixpkgs-4ed98d69ed434451c597168e77af8a12d69beaae.tar.xz
nixpkgs-4ed98d69ed434451c597168e77af8a12d69beaae.tar.zst
nixpkgs-4ed98d69ed434451c597168e77af8a12d69beaae.zip
nixos/nginx: use Mozilla Intermediate TLS configuration
The configuration at https://ssl-config.mozilla.org/#server=nginx&config=intermediate
is reliably kept up-to-date in terms of security and compatible with a
wide range of clients. They've probably had more care and thought put
into them than our defaults, and will be easier to keep updated in
the future.

The only removed (rather than changed) configuration option here is
ssl_ecdh_curve, per https://github.com/mozilla/server-side-tls/issues/189.

Resolves #80952.
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/services/web-servers/nginx/default.nix20
1 files changed, 14 insertions, 6 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index c8602e5975b..28b433104a1 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -87,10 +87,17 @@ let
       ${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"}
 
       ${optionalString (cfg.recommendedTlsSettings) ''
-        ssl_session_cache shared:SSL:42m;
-        ssl_session_timeout 23m;
-        ssl_ecdh_curve secp384r1;
-        ssl_prefer_server_ciphers on;
+        # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate
+
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:SSL:10m;
+        # Breaks forward secrecy: https://github.com/mozilla/server-side-tls/issues/135
+        ssl_session_tickets off;
+        # We don't enable insecure ciphers by default, so this allows
+        # clients to pick the most performant, per https://github.com/mozilla/server-side-tls/issues/260
+        ssl_prefer_server_ciphers off;
+
+        # OCSP stapling
         ssl_stapling on;
         ssl_stapling_verify on;
       ''}
@@ -487,8 +494,9 @@ in
 
       sslCiphers = mkOption {
         type = types.str;
-        default = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
-        description = "Ciphers to choose from when negotiating tls handshakes.";
+        # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate
+        default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+        description = "Ciphers to choose from when negotiating TLS handshakes.";
       };
 
       sslProtocols = mkOption {
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-06 01:19:03 +0000