Apache/Nginx - Disable Weak TLS Ciphers

[bitmap]

For anybody running LSIO swag, you can set this up by editing /swag/nginx/ssl.conf

Comment out the following:

Code:

# intermediate configuration (original to swag -- backup config)
#ssl_protocols TLSv1.2 TLSv1.3;
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
#ssl_prefer_server_ciphers off;

And replace it with what's recommended above:

Code:

# disable weak TLS ciphers (may break some things)
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;

While you're in here, you may as well change a few things that were recommended here and are already part of this config but commented out:

Code:

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
#add_header Strict-Transport-Security "max-age=63072000" always;

Which is commented out (just uncomment the second line). The ssl_session_tickets off; option already exists correctly as above in the ssl.conf so there's no need to add this in the swag config files.

You can also change some of the other header-related items that are recommended, but I am still looking at how this affects my other offerings. I turned on:

Code:

add_header X-Content-Type-Options "nosniff" always;

And that hasn't broken anything that I can tell as of yet. I was able to remove this from my Jellyfin proxy-conf file.

I ran the SSL test again right after changing the config and got a LOT more green, but still had some issues I'm not sure are accurate. Anyway, I figured that after I tinkered and figured out how to get this working in Swag, I'd share with other folks as well. Thanks again for your help with explaining what the report meant @TheDreadPirate!