set old cipher's priority to last

If old ciphers are used, make sure they are set to last in priority, which improves preferred order score.
2022-12-14 12:09:10 -07:00 · 2022-12-14 12:09:10 -07:00 · 2c2836c8b3
parent d2bd98d96e
commit 2c2836c8b3
1 changed files with 2 additions and 1 deletions
--- a/debian/resources/nginx/fusionpbx
+++ b/debian/resources/nginx/fusionpbx
@ -186,7 +186,8 @@ server {
 	ssl_certificate_key     /etc/ssl/private/nginx.key;
 	#ssl_protocols           TLSv1.2 TLSv1.3;
 	ssl_protocols	        TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-	ssl_ciphers             DHE-RSA-AES256-SHA:AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:AES256-SHA;
 	ssl_session_cache       shared:SSL:40m;
 	ssl_session_timeout     2h;
 	ssl_session_tickets     off;