From 670c0b53f0d9b21c13b57389f1cf21ead171688a Mon Sep 17 00:00:00 2001
From: Vilhelm Prytz <vilhelm@prytznet.se>
Date: Thu, 11 Jun 2020 22:21:34 +0200
Subject: [PATCH] Update "ssl_ciphers" in all nginx (SSL) configurations

updated the configurations to use what certbot uses, see https://github.com/certbot/certbot/blob/896c1e0b66817eff447b41f619772a6441b416df/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
---
 .snippets/webservers/nginx-centos.conf | 2 +-
 .snippets/webservers/nginx-php7.3.conf | 2 +-
 .snippets/webservers/nginx-php7.4.conf | 2 +-
 .snippets/webservers/nginx.conf        | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.snippets/webservers/nginx-centos.conf b/.snippets/webservers/nginx-centos.conf
index 4f558994..27420dbe 100644
--- a/.snippets/webservers/nginx-centos.conf
+++ b/.snippets/webservers/nginx-centos.conf
@@ -27,7 +27,7 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
     ssl_session_cache shared:SSL:10m;
     ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
     ssl_prefer_server_ciphers on;
 
     # See https://hstspreload.org/ before uncommenting the line below.
diff --git a/.snippets/webservers/nginx-php7.3.conf b/.snippets/webservers/nginx-php7.3.conf
index c8f379f4..b6616caa 100644
--- a/.snippets/webservers/nginx-php7.3.conf
+++ b/.snippets/webservers/nginx-php7.3.conf
@@ -27,7 +27,7 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
     ssl_session_cache shared:SSL:10m;
     ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
     ssl_prefer_server_ciphers on;
 
     # See https://hstspreload.org/ before uncommenting the line below.
diff --git a/.snippets/webservers/nginx-php7.4.conf b/.snippets/webservers/nginx-php7.4.conf
index f1e81125..1043b4e9 100644
--- a/.snippets/webservers/nginx-php7.4.conf
+++ b/.snippets/webservers/nginx-php7.4.conf
@@ -27,7 +27,7 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
     ssl_session_cache shared:SSL:10m;
     ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
     ssl_prefer_server_ciphers on;
 
     # See https://hstspreload.org/ before uncommenting the line below.
diff --git a/.snippets/webservers/nginx.conf b/.snippets/webservers/nginx.conf
index 97f37565..41f7c1b5 100644
--- a/.snippets/webservers/nginx.conf
+++ b/.snippets/webservers/nginx.conf
@@ -27,7 +27,7 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
     ssl_session_cache shared:SSL:10m;
     ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
     ssl_prefer_server_ciphers on;
 
     # See https://hstspreload.org/ before uncommenting the line below.