nixos/nginx: Allow unsetting ssl_ciphers

When using the Modern config from the Mozilla SSL config generator,
the `ssl_ciphers` parameter does not need to be set
as only TLSv1.3 is permitted and all of its ciphers are reasonable.
This commit is contained in:
Aneesh Agrawal 2020-10-26 00:32:37 -04:00
parent 7929891d57
commit 924035bb97

View File

@ -86,7 +86,7 @@ let
''} ''}
ssl_protocols ${cfg.sslProtocols}; ssl_protocols ${cfg.sslProtocols};
ssl_ciphers ${cfg.sslCiphers}; ${optionalString (cfg.sslCiphers != null) "ssl_ciphers ${cfg.sslCiphers};"}
${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"} ${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"}
${optionalString (cfg.recommendedTlsSettings) '' ${optionalString (cfg.recommendedTlsSettings) ''
@ -487,7 +487,7 @@ in
}; };
sslCiphers = mkOption { sslCiphers = mkOption {
type = types.str; type = types.nullOr types.str;
# Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate
default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
description = "Ciphers to choose from when negotiating TLS handshakes."; description = "Ciphers to choose from when negotiating TLS handshakes.";