Add TLS1.3 and reset to default Nginx ciphers

f500 · May 22, 2023 · 0eed092 · 0eed092
1 parent 8ac0c82
commit 0eed092
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -26,10 +26,10 @@ nginx_http_params_default:
  gzip_min_length: 256
  gzip_types: application/json application/vnd.ms-fontobject application/x-font-ttf application/x-javascript application/xml application/xml+rss font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/xml
 
- ssl_ciphers: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+ ssl_ciphers: "HIGH:!aNULL:!MD5"
  ssl_dhparam: "/etc/nginx/dh{{ nginx_dhparam_bits }}.pem"
  ssl_prefer_server_ciphers: on
- ssl_protocols: TLSv1.2
+ ssl_protocols: TLSv1.2 TLSv1.3
  ssl_session_cache: shared:SSL:50m
  ssl_session_tickets: off
  ssl_session_timeout: 1d