Commit 2d88be70 authored by Martin Weinelt's avatar Martin Weinelt Committed by github-actions[bot]
Browse files

nixos/nginx: add support for PQ key exchanges in TLS1.3 

The Mozilla Server-Side TLS guide is lagging quite a bit, because since
OpenSSL 3.5.0 we can provide hybrid key exchanges, that hopefully protect
against "store now, decrypt later" attacks, that could be applied once
capable quantum computers eventually come into existance.

(cherry picked from commit 788e084c)
parent a4579260

nixos/modules/services/web-servers/nginx/default.nix

+2 −2
Original line number Diff line number Diff line
@@ -205,9 +205,9 @@ let 
            ${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"}



            ${optionalString cfg.recommendedTlsSettings ''

              # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate

              # Consider https://ssl-config.mozilla.org/#server=nginx&config=intermediate as the lower bound



              ssl_ecdh_curve X25519:prime256v1:secp384r1;

              ssl_conf_command Groups "X25519MLKEM768:X25519:P-256:P-384";

              ssl_session_timeout 1d;

              ssl_session_cache shared:SSL:10m;

              # Breaks forward secrecy: https://github.com/mozilla/server-side-tls/issues/135