nginx: update ciphers and tls to v1.3

defaults/main.yml

@@ -48,6 +48,8 @@ nginx_open_ports:
   - 443
 
 nginx_tls_enabled: False
+nginx_tls_version:
+  - TLSv1.2
 # Source has to be a file
 nginx_tls_cert_source: mycert.pem
 nginx_tls_key_source: mykey.pem
@@ -58,11 +60,8 @@ nginx_tls_key_file: mykey.pem
 # nginx_tls_dhparam_size: # defaults to 2048
 
 nginx_tls_ciphers:
-  - ECDHE-RSA-AES256-GCM-SHA512
-  - DHE-RSA-AES256-GCM-SHA512
-  - ECDHE-RSA-AES256-GCM-SHA384
-  - DHE-RSA-AES256-GCM-SHA384
-  - ECDHE-RSA-AES256-SHA384
+  - EECDH+AESGCM
+  - EDH+AESGCM
 
 nginx_tls_ocsp_enabled: False
 # nginx_tls_ocsp_trusted_certificate: # defaults to not set

templates/etc/nginx/conf.d/tls.conf.j2

@@ -2,12 +2,17 @@
 # {{ ansible_managed }}
 ssl_ciphers '{{ nginx_tls_ciphers | join(":") }}';
 ssl_prefer_server_ciphers on;
+{% if nginx_tls_ecdh_curve is defined %}
+ssl_ecdh_curve {{ nginx_tls_ecdh_curve }};
+{% endif %}
 {% if nginx_tls_dhparam_file is defined %}
 ssl_dhparam {{ nginx_tls_dhparam_file }};
 {% endif %}
 
-ssl_protocols TLSv1.2;
+ssl_protocols {{ nginx_tls_versions | join(" ") }};
 ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+ssl_session_tickets off;
 
 {% if nginx_tls_ocsp_enabled %}
 ssl_stapling on;