Tilecache: tweak ssl_ciphers
authorGrant Slater <git@firefishy.com>
Thu, 13 Feb 2014 01:29:26 +0000 (01:29 +0000)
committerGrant Slater <git@firefishy.com>
Thu, 13 Feb 2014 01:29:26 +0000 (01:29 +0000)
cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb

index f450322639d9bd13d2d75476c8d27a01a7a6f001..c27a531b35bef15f912eb29bdf460ec85b1e28dc 100644 (file)
@@ -5,11 +5,11 @@ server {
     ssl_certificate      /etc/ssl/certs/tile.openstreetmap.pem;
     ssl_certificate_key  /etc/ssl/private/tile.openstreetmap.key;
 
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3;
+    ssl_ciphers aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5;
     ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
+    ssl_session_cache shared:SSL:30m;
+    ssl_session_timeout 15m;
 
     location / { proxy_pass http://127.0.0.1; proxy_set_header X-Forwarded-For $remote_addr; }