Maintaining a set of strong ciphers for your web server, whether you're running Nginx or Apache (httpd), is an important step to hardening your server security. It's not common for the default settings of any application to be secure - Nginx and Apache are no exception. Changing the ciphers that they support can mean that you don't support older browsers but this is rarely a problem.
# Don't use TLSv1 if PCI compliance is required. # TLSv1.3 may not be available with your version of nginx / openssl. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Use the server's cipher list instead of the client's. ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; ssl_dhparam /etc/ssl/dhparam.pem;
SSLCipherSuite HIGH:!aNULL:!MD5 SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"
openssl dhparam -out /etc/ssl/dhparam.pem 4096