Add comment about TLS curves for older servers.
authorArtik Banana <lid@tuta.io>
Sat, 16 Jun 2018 18:14:05 +0000 (18:14 +0000)
committerArtik Banana <lid@tuta.io>
Sat, 16 Jun 2018 18:14:05 +0000 (18:14 +0000)
installation/pleroma.nginx

index e9eeb1848125304190cb0c61f1679644288011dc..78327594fbba9eb9a3f033f591080cbaa590dbc3 100644 (file)
@@ -41,6 +41,8 @@ server {
     # ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
     ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
     ssl_prefer_server_ciphers on;
+    # In case of an old server with an OpenSSL version of 1.0.2 or below,
+    # leave only prime256v1 or comment out the following line.
     ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
     ssl_stapling on;
     ssl_stapling_verify on;