Beta Branch OpenSSL 1.1.1 default in 123.09beta01

@eva2000
After upgrade nginx, openssl will be v1.1.1, but, after that, should we also manually update ssl_chipers

Code:

ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

Above should replace second row here (in mydomain.com.ssl.conf) :

Code:

# mozilla recommended
  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #######################add_header Alternate-Protocol  443:npn-spdy/3;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header  X-Content-Type-Options "nosniff";
  #add_header X-Frame-Options DENY;
  #######################spdy_headers_comp 5;
  ssl_buffer_size 1400;
  ssl_session_tickets on;

And after that restart nginx

Also, is there something in my custom_config.inc that is not needed any more, or conflicted with something, or something is missing and should be there?
What do you think?

Code:

NGINX_LIBBROTLI=y # Brotly extension
NGXDYNAMIC_BROTLI=y # Brotly dynamic module extension
NGINX_PAGESPEED=n # nginx page speed
NGXDYNAMIC_NGXPAGESPEED=n # nginx dynamic page speed
PHP_MEMCACHE=n # memcache PHP extension
PHP_MEMCACHED=n # memcached PHP extension
PHP_PGO='y' # PGO Let It Go - Profile Guided Optimizations for PHP 7
PHPPGO_INDEXPATH='/home/nginx/domains/pijanitvor.com/public/index.php' # path for PGO training
AUDITD_ENABLE='y' # Auditd skripta
RCLONE_ENABLE='y' # Rclone skripta
NGINX_DEVTOOLSETGCC='y' # umjesto clang ide gcc kompilacija kod nginx
#DEVTOOLSETEIGHT='y' # ide 8.x verzija gcc kompilacije umjesto defaultne 5.x ili 6.x ili 7.x
LIBRESSL_SWITCH='n' # umjesto LibreSSL ide OpenSSL
CLOUDFLARE_ZLIB='y' # enable Cloudflare zlib performance library by default for Nginx zlib
DEVTOOLSETSEVEN='y' # ide 7.x verzija gcc kompilacije umjesto defaultne 5.x ili 6.x
CLANG='n' # potrebno za gcc kompilaciju nginx
CRYPTO_DEVTOOLSETGCC='y' # newer Intel GCC
NGX_LDGOLD='y' # Nginx support for using ld.gold linker
NGX_GSPLITDWARF='y' # Nginx support for using ld.gold linker
PHP_GSPLITDWARF='y' # Nginx/php support for using ld.gold linker
NGINX_ZLIBCUSTOM='y' # add custom zlib 1.2.11+ version support to Nginx compiles - https://goo.gl/1WNZcH
#NGINX_HPACK='y' # enabling HPACK for Nginx
NGINX_DYNAMICTLS='y' # add Nginx Dynamic TLS Cloudflare Patch - http://bit.ly/2EYzhk7
NGINXPATCH='y' # add Nginx Dynamic TLS Cloudflare Patch - http://bit.ly/2EYzhk7
NGINX_GEOIPTWOLITE='y' # GeoIP2 Lite nginx module
NGXDYNAMIC_GEOIPTWOLITE='y' # GeoIP2 Lite nginx module
ENABLE_MARIADBTENTWOUPGRADE='y' # enabling upgrade MariaDB from 10.1.x to 10.2.x