How to disable weak ciphers on nginx

I’ve read and reposted this post here https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ that explains how to remove some weak ciphers from nginx and apache.

It has been useful but I’ve found I needed to edit the string a little and remove some ciphers that Qualis SSL check considered weak.

Here’s the string, in case you have a similar need.

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AES256+GCM+SHA256:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES128-SHA256:!AES256-SHA:!AES256-SHA256

Advertisements

Hardening Your Web Server’s SSL Ciphers · Hynek Schlawack

There are many wordy articles on configuring your web server’s TLS ciphers. This is not one of them. Instead I will share a configuration which is both compatible enough for today’s needs and scores a straight “A” on Qualys’s SSL Server Test.

Source: Hardening Your Web Server’s SSL Ciphers · Hynek Schlawack