From fbffbf8ef076b942c18ab7fcff94d5cbca89a18c Mon Sep 17 00:00:00 2001
From: Tom Daff <tdd20@cam.ac.uk>
Date: Mon, 7 Jan 2019 16:19:51 +0000
Subject: [PATCH] puppet/nginx: Update to recommended SSL ciphers.

Update the list of ciphers that nginx will use to the current
Mozilla recommended ones.

These are Intermediate compatibility ones suitable for clients
running anything newer than Firefox 1, Chrome 1, IE 7, Opera 5
and Safari 1. Modern compatibility is not suitable as it excludes
Andriod 4 which is still seen on ~1% of traffic.

More info: https://wiki.mozilla.org/Security/Server_Side_TLS
---
 puppet/zulip/files/nginx/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/puppet/zulip/files/nginx/nginx.conf b/puppet/zulip/files/nginx/nginx.conf
index 04ab3e0f93..a62ec4d829 100644
--- a/puppet/zulip/files/nginx/nginx.conf
+++ b/puppet/zulip/files/nginx/nginx.conf
@@ -53,7 +53,7 @@ http {
     ssl_prefer_server_ciphers On;
     ssl_session_cache shared:SSL:10m;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers  EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
 
 
     include /etc/nginx/conf.d/*.conf;