# ssl-tls-v1.3.server.conf

# TSLv1.3 erfolgreich getestet mit Firefox 63 und Chrome 70

listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
	
ssl_session_cache    shared:SSL:1m;
ssl_session_timeout  5m;

ssl_certificate ssl.cert/server.crt;
ssl_certificate_key ssl.cert/server.key;

# Nur aktuelle TLS-Protokollversionen zulassen
# s. http://nginx.org/en/docs/http/configuring_https_servers.html
# und https://wiki.openssl.org/index.php/TLS1.3
#
ssl_protocols TLSv1.3;
# alternativ, wenn TLSv1.2 und TLSv1.3 erlaubt sind:
# ssl_protocols TLSv1.2 TLSv1.3;

ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

ssl_ecdh_curve prime256v1:secp384r1;

ssl_dhparam  ssl.cert/dhparam.pem;

add_header Strict-Transport-Security "max-age=15768000" always;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;