adjust ciphers to a more secure set

7 years ago · 9ddfa0a633
parent e6bedabef0
commit 9ddfa0a633
3 changed files with 8 additions and 5 deletions
--- a/dovecot/conf/dovecot.conf
+++ b/dovecot/conf/dovecot.conf
@ -61,7 +61,8 @@ ssl_key = </certs/key.pem
 # TLS hardening is based on the following documentation:
 # https://bettercrypto.org/static/applied-crypto-hardening.pdf
 ssl_protocols=!SSLv3 !SSLv2
-ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
+# ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
+ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
 ssl_prefer_server_ciphers = yes
 ssl_dh_parameters_length = 2048
 ssl_options = no_compression
--- a/nginx/nginx.conf.default
+++ b/nginx/nginx.conf.default
@ -31,7 +31,8 @@ http {
      # TLS configuration hardened according to:
      # https://bettercrypto.org/static/applied-crypto-hardening.pdf
      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+      # ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+      ssl_ciphers 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
      ssl_prefer_server_ciphers on;
      ssl_session_timeout 5m;
      ssl_session_cache shared:SSL:50m;
@ -41,8 +42,8 @@ http {
      add_header Strict-Transport-Security max-age=15768000;

      if ($scheme = http) {
-    		return 301 https://$host$request_uri;
-    	}
+        return 301 https://$host$request_uri;
+      }

      # Load Lua variables
      set_by_lua $webmail 'return os.getenv("WEBMAIL")';
--- a/nginx/nginx.conf.fallback
+++ b/nginx/nginx.conf.fallback
@ -26,7 +26,8 @@ http {
      # TLS configuration hardened according to:
      # https://bettercrypto.org/static/applied-crypto-hardening.pdf
      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+      # ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+      ssl_ciphers 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
      ssl_prefer_server_ciphers on;
      ssl_session_timeout 5m;
      ssl_session_cache shared:SSL:50m;