From 2ddf46ad2b5054988ea5b270dcdb88ea80e6067e Mon Sep 17 00:00:00 2001
From: bladeswords <bladeswords@users.noreply.github.com>
Date: Mon, 9 Mar 2020 23:12:02 +1100
Subject: [PATCH] Update crypto to be modern and inline with tls.conf

Updated to match tls.conf and be aligned to more modern cryptographic standards and only use currently secure protocols and ciphers.
---
 core/nginx/conf/nginx.conf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 250ceec7..46db324f 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -218,9 +218,9 @@ mail {
       listen 25;
       listen [::]:25;
       {% if TLS and not TLS_ERROR %}
-      ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
-      ssl_prefer_server_ciphers on;
+      ssl_protocols TLSv1.2 TLSv1.3;
+      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+      ssl_prefer_server_ciphers off;
       starttls on;
       {% endif %}
       protocol smtp;