[debian] [stretch] loosing default ssl settings

[arthurzenika]

When deploying nginx formula to debian stretch with no pillars, it removes ssl_protocols and ssl_prefer_server_ciphers

                  -	##
                  -	# SSL Settings
                  -	##
                  -
                  -	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
                  -	ssl_prefer_server_ciphers on;

Would you agree to a PR that adds these settings ?

[noelmcloughlin]

Hi @arthurlogilab
It is good that TLS v1 and 1.1 are removed. But you can raise PR to set TLSv1.2 as default?
And yes, I think ssl_prefer_server_ciphers: 'on' is acceptable formula default.

ref:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites

[noelmcloughlin]

On second thoughts - It might not be optimal for security but these no-pillar settings are correct default nginx settings after installation.

I don't see these documented in pillar.example - Could you raise PR on that plese.