From bda77ac0d15fa6344415f497cbc65299be32464a Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Thu, 11 Feb 2021 23:10:01 +0200
Subject: [PATCH] Enable more modern ciphers.

Mainly ChaCha20. Also disable AESCCM (as per
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
it's slow and uncommon).
---
 snippets/ssl.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/snippets/ssl.conf b/snippets/ssl.conf
index 8a0dd0a..cb1f77f 100644
--- a/snippets/ssl.conf
+++ b/snippets/ssl.conf
@@ -5,7 +5,7 @@ ssl_certificate             /var/ssl/site.crt;
 ssl_certificate_key         /var/ssl/site.key;
 ssl_dhparam                 /var/ssl/dhparams;
 ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-ssl_ciphers                 !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
+ssl_ciphers                 !AESCCM:!kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:ECDH+CHACHA20:AES256+ECDH:AES128:CHACHA20:+SHA1;
 ssl_prefer_server_ciphers   on;
 ssl_session_cache           shared:SSL:50m;
 ssl_session_timeout         5m;
-- 
GitLab