Hardening ssl ciphers. I wrote a post previously about disabling sslv2 and enabling sslv3 and tlsv1. Times have changed since then, its been best-practice for a long time now to only use tlsv1.1 and tlsv1.2 with forward secrecy. This post replaces the previous post, and will be updated with the latest best-practices as they appear.
I’ve added these configs to my nginx servers to harden the ssl:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_prefer_server_ciphers on;
Place them in the http block. Generate the dhparam with openssl: openssl dhparam -out dhparam.pem 4096
awesome, thanks