This page will document some sane settings for modern TLS security in nginx. I'm not particularly interested in backwards compatibility for this environment so I won't be spending much time on supporting broken browsers or operating systems which should be deprecated. I realize this can be frustrating for some people, but given the revelations of the past couple of years regarding the use of insecure crypto you're probably better of just ignoring crypto completely than trying to implement questionable systems.
# SSL configuration listen 443 ssl spdy default_server; ssl_certificate /etc/ssl/localcerts/mycert.chained.crt; ssl_certificate_key /etc/ssl/localcerts/mycert.key; # OCSP stapling support ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/localcerts/ocsp-chain.crt; # HTTP Strict Transport Security header add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; # enables all versions of TLS, but not SSLv2 or 3 which are weak and now # deprecated or TLSv1 which has its own problems ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; # disables all weak ciphers and prefers AESGCM but fall back to other # elliptic curve ciphers if necessary ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!eNULL:!EXPORT:!MEDIUM:!LOW:!DES:!MD5:!SHA1:!PSK:!RC4";
TLS/SSL Server Test: https://www.ssllabs.com/ssltest/index.html
# test OCSP configuration echo QUIT | openssl s_client -connect quay.net:443 -status 2> /dev/null | \ grep -A 17 'OCSP response:' | grep -B 17 'Next Update'