2 files changed, 12 insertions(+), 4 deletions(-)

M roles/nginx/files/snippets/sslsettings.conf
M roles/nginx/tasks/main.yml

@@ 1,12 1,16 @@
-# generated 2023-01-24, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, modern configuration
-# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1k&guideline=5.6
+# generated 2022-04-20, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6
 
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
 ssl_session_tickets off;
 
-# modern configuration
-ssl_protocols TLSv1.3;
+# TODO: Upgrade to modern config
+# NOTE: Use intermediate config for old android smartphone support (synapse)
+# intermediate configuration
+ssl_dhparam /etc/ssl/dhparams.pem;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 ssl_prefer_server_ciphers off;
 
 # HSTS (ngx_http_headers_module is required) (63072000 seconds)

@@ 58,6 58,10 @@
     group: root
     mode: 0755
 
+- name: Create DH group
+  # NOTE: Remove when upgrading to modern SSL config
+  ansible.builtin.command: openssl dhparam -out /etc/ssl/dhparams.pem 4096 creates=/etc/ssl/dhparams.pem
+
 - name: Start and enable nginx
   ansible.builtin.systemd:
     name: nginx