Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / nginx / 63226c000dda1fd08942442328efcdcfe84ca347^! / .
commit63226c000dda1fd08942442328efcdcfe84ca347[log] [tgz]
authorFilip Pytloun <filip@pytloun.cz>Tue Sep 06 13:44:00 2016 +0200
committerFilip Pytloun <filip@pytloun.cz>Tue Sep 06 13:44:00 2016 +0200
treef5f8ede18ea30903521c827106b0271508124878
parentea103573e42bf12f98624041c7e17e62e0a2802b [diff]
Use more secure ssl ciphers, fixes CVE-2016-2107

diff --git a/nginx/files/_ssl_normal.conf b/nginx/files/_ssl_normal.conf
index 0412c32..ff0b71b 100644
--- a/nginx/files/_ssl_normal.conf
+++ b/nginx/files/_ssl_normal.conf

@@ -1,6 +1,6 @@
 
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 ssl_prefer_server_ciphers on;
 ssl_ecdh_curve secp521r1;
 

diff --git a/nginx/files/_ssl_secure.conf b/nginx/files/_ssl_secure.conf
index ca24272..ec14d47 100644
--- a/nginx/files/_ssl_secure.conf
+++ b/nginx/files/_ssl_secure.conf

@@ -1,6 +1,11 @@
 
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 ssl_prefer_server_ciphers on;
 ssl_ecdh_curve secp521r1;
 ssl_dhparam /etc/ssl/dhparams.pem;
+
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;