M roles/nginx/files/snippets/sslsettings.conf => roles/nginx/files/snippets/sslsettings.conf +8 -4
@@ 1,12 1,16 @@
-# generated 2023-01-24, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, modern configuration
-# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1k&guideline=5.6
+# generated 2022-04-20, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
-# modern configuration
-ssl_protocols TLSv1.3;
+# TODO: Upgrade to modern config
+# NOTE: Use intermediate config for old android smartphone support (synapse)
+# intermediate configuration
+ssl_dhparam /etc/ssl/dhparams.pem;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
M roles/nginx/tasks/main.yml => roles/nginx/tasks/main.yml +4 -0
@@ 58,6 58,10 @@
group: root
mode: 0755
+- name: Create DH group
+ # NOTE: Remove when upgrading to modern SSL config
+ ansible.builtin.command: openssl dhparam -out /etc/ssl/dhparams.pem 4096 creates=/etc/ssl/dhparams.pem
+
- name: Start and enable nginx
ansible.builtin.systemd:
name: nginx