|
|
@@ -142,15 +142,12 @@
|
|
|
{{- define "ssl_policy" }}
|
|
|
{{- if eq .ssl_policy "Mozilla-Modern" }}
|
|
|
ssl_protocols TLSv1.3;
|
|
|
- {{- /*
|
|
|
- * nginx currently lacks ability to choose ciphers in TLS 1.3 in
|
|
|
- * configuration, see https://trac.nginx.org/nginx/ticket/1529.
|
|
|
- * A possible workaround can be modify /etc/ssl/openssl.cnf to change
|
|
|
- * it globally (see https://trac.nginx.org/nginx/ticket/1529#comment:12).
|
|
|
- * Explicitly set nginx default value in order to allow single servers
|
|
|
- * to override the global http value.
|
|
|
- */}}
|
|
|
- ssl_ciphers HIGH:!aNULL:!MD5;
|
|
|
+ {{- /*
|
|
|
+ * This ssl_ciphers directive is not used but necessary to get TLSv1.3 only.
|
|
|
+ * see https://serverfault.com/questions/1023766/nginx-with-only-tls1-3-cipher-suites
|
|
|
+ */}}
|
|
|
+ ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
|
|
|
+ ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
|
|
|
ssl_prefer_server_ciphers off;
|
|
|
{{- else if eq .ssl_policy "Mozilla-Intermediate" }}
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
|
@@ -162,6 +159,10 @@
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
{{- else if eq .ssl_policy "AWS-TLS13-1-3-2021-06" }}
|
|
|
ssl_protocols TLSv1.3;
|
|
|
+ {{- /*
|
|
|
+ * This ssl_ciphers directive is not used but necessary to get TLSv1.3 only.
|
|
|
+ * see https://serverfault.com/questions/1023766/nginx-with-only-tls1-3-cipher-suites
|
|
|
+ */}}
|
|
|
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
|
|
|
ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
|
|
|
ssl_prefer_server_ciphers on;
|
Nicolas Duchon