From ca4097f1a205cb17be82ea071df088e78d031170 Mon Sep 17 00:00:00 2001
From: Andrew Geissler <geissonator@yahoo.com>
Date: Thu, 31 May 2018 07:02:43 -0700
Subject: Move nginx ciphers to mozilla guidelines

Update the supported ciphers to those under the
"Modern" section for mozilla.

https://wiki.mozilla.org/Security/Server_Side_TLS

Resolves openbmc/openbmc#3209

Tested: Built image and verified nginx correctly starts
and REST api't still work as expected.

Change-Id: I6692b42b6a1dec10e51b72654e75da4f0c0d3b99
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
---
 .../meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf     | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf
index a626e4ad3..74010f9db 100644
--- a/meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf
+++ b/meta-openbmc-machines/meta-openpower/meta-ibm/recipes-httpd/nginx/files/nginx.conf
@@ -14,6 +14,8 @@ events {
 # Note that a lot of these settings come from the OWASP Secure
 # Configuration guide for nginx
 # https://www.owasp.org/index.php/SCG_WS_nginx
+# and the mozilla security guidelines
+# https://wiki.mozilla.org/Security/Server_Side_TLS
 
 http {
     include       mime.types;
@@ -59,8 +61,7 @@ http {
         ssl_certificate_key  @CERTPATH@/cert.pem;
         ssl_session_timeout  5m;
         ssl_protocols  TLSv1.2;
-        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
-
+        ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
         ssl_prefer_server_ciphers   on;
 
         location / {
-- 
cgit v1.2.1