Learn about Centmin Mod LEMP Stack today
Register Now

Beta Branch update nginx default ssl_cipher configuration

Discussion in 'Centmin Mod Github Commits' started by eva2000, Aug 19, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:36 AM
    Nginx 1.13.x
    MariaDB 5.5
  2. eva2000

    eva2000 Administrator Staff Member

    30,562
    6,851
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,266
    Local Time:
    5:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    Only an issue with pingdom tools reporting errors, other sites and visitors are fine and only affects some servers by users. Have 160+ servers without issue with pingdom tools myself.

    basically replacing this part of ssl_ciphers in HTTPS vhosts

    from

    Code (Text):
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    


    to this

    Code (Text):
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    

    restart nginx after changes
     
    Last edited: Aug 19, 2017