15 lines
633 B
Text
15 lines
633 B
Text
# TLSv1.2+ is the practical modern baseline. Older protocols create more
|
|
# compatibility burden than value in a shared default kit.
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
|
|
# Let nginx/OpenSSL pick the best named group set available on the host instead
|
|
# of freezing a list that will age badly across distro upgrades.
|
|
ssl_ecdh_curve auto;
|
|
|
|
# Keep a small shared cache because session resumption helps repeat visitors,
|
|
# but avoid huge caches that imply cross-host coordination.
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
|
|
# Prefer stateless session resumption only when you rotate shared ticket keys.
|
|
ssl_session_tickets off;
|