update

ssl/security.conf

@@ -1,6 +1,13 @@
+# TLSv1.2+ is the practical modern baseline. Older protocols create more
+# compatibility burden than value in a shared default kit.
 ssl_protocols TLSv1.2 TLSv1.3;
+
+# Let nginx/OpenSSL pick the best named group set available on the host instead
+# of freezing a list that will age badly across distro upgrades.
 ssl_ecdh_curve auto;
 
+# Keep a small shared cache because session resumption helps repeat visitors,
+# but avoid huge caches that imply cross-host coordination.
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 10m;