From 75b581bf98ff796f84e1f47917a88682bc0b5eb5 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Tue, 11 Jun 2019 22:58:53 +0200
Subject: [PATCH] nginx: update ciphers and tls to v1.3

---
 defaults/main.yml                      | 9 ++++-----
 templates/etc/nginx/conf.d/tls.conf.j2 | 7 ++++++-
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 11aa06e..564f948 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -48,6 +48,8 @@ nginx_open_ports:
   - 443
 
 nginx_tls_enabled: False
+nginx_tls_version:
+  - TLSv1.2
 # Source has to be a file
 nginx_tls_cert_source: mycert.pem
 nginx_tls_key_source: mykey.pem
@@ -58,11 +60,8 @@ nginx_tls_key_file: mykey.pem
 # nginx_tls_dhparam_size: # defaults to 2048
 
 nginx_tls_ciphers:
-  - ECDHE-RSA-AES256-GCM-SHA512
-  - DHE-RSA-AES256-GCM-SHA512
-  - ECDHE-RSA-AES256-GCM-SHA384
-  - DHE-RSA-AES256-GCM-SHA384
-  - ECDHE-RSA-AES256-SHA384
+  - EECDH+AESGCM
+  - EDH+AESGCM
 
 nginx_tls_ocsp_enabled: False
 # nginx_tls_ocsp_trusted_certificate: # defaults to not set
diff --git a/templates/etc/nginx/conf.d/tls.conf.j2 b/templates/etc/nginx/conf.d/tls.conf.j2
index 8d56cc9..dafe9ab 100644
--- a/templates/etc/nginx/conf.d/tls.conf.j2
+++ b/templates/etc/nginx/conf.d/tls.conf.j2
@@ -2,12 +2,17 @@
 # {{ ansible_managed }}
 ssl_ciphers '{{ nginx_tls_ciphers | join(":") }}';
 ssl_prefer_server_ciphers on;
+{% if nginx_tls_ecdh_curve is defined %}
+ssl_ecdh_curve {{ nginx_tls_ecdh_curve }};
+{% endif %}
 {% if nginx_tls_dhparam_file is defined %}
 ssl_dhparam {{ nginx_tls_dhparam_file }};
 {% endif %}
 
-ssl_protocols TLSv1.2;
+ssl_protocols {{ nginx_tls_versions | join(" ") }};
 ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+ssl_session_tickets off;
 
 {% if nginx_tls_ocsp_enabled %}
 ssl_stapling on;