Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Enable ssl.
- ssl on;
- ssl_certificate /etc/ssl/mail.univers.su/mail.univers.su.bundle.pem;
- ssl_client_certificate /etc/ssl/mail.univers.su/intermediate.pem;
- ssl_certificate_key /etc/ssl/mail.univers.su/mail.univers.su.key;
- # Enable only actual protocols and ciphers.
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- # Minimal worked like ssllab without weak RC4.
- ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!MEDIUM:!LOW:!DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED';
- # Exclude BEAST-attack CVE-2011-3389.
- ssl_prefer_server_ciphers on;
- # Enable session SSL handshake cache.
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- # Add HTTP-header, that inform clients that the server supports only https protocol.
- add_header Strict-Transport-Security "max-age=31536000;";
- # Enable OCSP-response.
- # For test it worked: openssl s_client -connect mail.univers.su:443 -tlsextdebug -status | grep OCSP
- resolver 8.8.8.8 8.8.4.4 valid=600s; resolver_timeout 15s;
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate /etc/ssl/mail.univers.su/intermediate.pem;
- # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
- # Increase security DH-cipher increase up to 4096. !!!ONLY FOR Admin Management Interfaces!!!
- # openssl dhparam -outform PEM -out dhparam4096.pem 4096
- #ssl_dhparam /etc/ssl/mail.univers.su/dhparam1024.pem;
- #ssl_ecdh_curve secp384r1;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement