Move nginx ciphers to mozilla guidelines
Update the supported ciphers to those under the
"Modern" section for mozilla.
https://wiki.mozilla.org/Security/Server_Side_TLS
Resolves openbmc/openbmc#3209
Tested: Built image and verified nginx correctly starts
and REST api't still work as expected.
Change-Id: I6692b42b6a1dec10e51b72654e75da4f0c0d3b99
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf
index a626e4a..74010f9 100644
--- a/meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf
+++ b/meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf
@@ -14,6 +14,8 @@
# Note that a lot of these settings come from the OWASP Secure
# Configuration guide for nginx
# https://www.owasp.org/index.php/SCG_WS_nginx
+# and the mozilla security guidelines
+# https://wiki.mozilla.org/Security/Server_Side_TLS
http {
include mime.types;
@@ -59,8 +61,7 @@
ssl_certificate_key @CERTPATH@/cert.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
-
+ ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
ssl_prefer_server_ciphers on;
location / {