Learn about Centmin Mod LEMP Stack today
Become a Member

Master Branch add tools/switch-nginx-ciphers.sh in 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jun 13, 2021.

  1. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    5:30 PM
    Nginx 1.21.x
    MariaDB 10.x
    add tools/switch-nginx-ciphers.sh in 123.09beta01

    - add new tools/switch-nginx-ciphers.sh script in preparation of updating 123.09beta01 and higher Nginx default HTTPS configuration to stronger intermediate Mozilla recommendations outlined at https://ssl-config.mozilla.org/#server=nginx&version=1.20.0&config=intermediate&openssl=1.1.1&guideline=5.6 for the following directives: ssl_ciphers, ssl_prefer_server_ciphers, ssl_session_tickets and ssl_dhparam to use ffdhe3072 recommended version. There is no need to modifying ssl_protocols directive as ssl_ciphers chosen will ultimately determine which ssl_protocols are available. When ssl_ciphers switch to Mozilla intermediate recommendations, only TLSv1.2 and TLSv1.3 are supported.
    - Future 123.09beta01 update with switch to default Mozilla intermediate recommendations. For now the new tools/switch-nginx-ciphers.sh script will allow folks to do that on a per vhost basis or in bulk for all Nginx HTTPS vhosts before the subsequent updates and/or also allow folks to switch between Mozilla intermediate recommendations or switch back to previous Centmin Mod 'old-defaults' to expand ssl_ciphers to support deprecated TLSv1.0 and TLSv1.1 as well as TLSv1.2 and TLSv1.3
    - new tool also has inbuilt testssl.sh support https://github.com/drwetter/testssl.sh via testssl command option

    Usage options available for switch-nginx-ciphers.sh



    ./switch-nginx-ciphers.sh intermediate-bulk
    ./switch-nginx-ciphers.sh intermediate /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    ./switch-nginx-ciphers.sh old-default-bulk
    ./switch-nginx-ciphers.sh old-default /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
    ./switch-nginx-ciphers.sh testssl domain.com:443

    Continue reading...

    Centmin Mod Github Master branch

    Master branch is where most recent commits are made as at May 24, 2015.
  2. happyhacking

    happyhacking Premium Member Premium Member

    Apr 23, 2021
    Local Time:
    2:30 AM
    MariadDB 10.4.25
    Not a Bug but a Vote :stop: asking politely to add the "Modern" option suggested by Mozilla to the script:
    Mozilla Configuration:
    Services with clients that support TLS 1.3 and don't need backward compatibility
    # generated 2022-05-13, Mozilla Guideline v5.6, nginx 1.20.0, OpenSSL 1.1.1, modern configuration
    # https://ssl-config.mozilla.org/#server=nginx&version=1.20.0&config=modern&openssl=1.1.1&guideline=5.6
    server {
       listen 80 default_server;
       listen [::]:80 default_server;
       location / {
           return 301 https://$host$request_uri;
    server {
       listen 443 ssl http2;
       listen [::]:443 ssl http2;
       ssl_certificate /path/to/signed_cert_plus_intermediates;
       ssl_certificate_key /path/to/private_key;
       ssl_session_timeout 1d;
       ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
       ssl_session_tickets off;
       # modern configuration
       ssl_protocols TLSv1.3;
       ssl_prefer_server_ciphers off;
       # HSTS (ngx_http_headers_module is required) (63072000 seconds)
       add_header Strict-Transport-Security "max-age=63072000" always;
       # OCSP stapling
       ssl_stapling on;
       ssl_stapling_verify on;
       # verify chain of trust of OCSP response using Root CA and Intermediate certs
       ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
       # replace with the IP address of your resolver