Add TLSv1.3

eustasy · Aug 27, 2017 · 01bac5e · 01bac5e
1 parent 85eddc4
commit 01bac5e
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/nginx-config/directive/bubbly_rock-hard-ssl.conf b/nginx-config/directive/bubbly_rock-hard-ssl.conf
@@ -35,7 +35,7 @@
 	# Option 2. Slightly better.
 	# [WARNING] Slower and breaks some IE on mobiles.
 	#ssl_ecdh_curve secp521r1;
-	
+
 	# Option 3. Allow either on modern systems.
 	# [WARNING] Only for for nginx >= 1.11.0 and openssl >= 1.0.2
 	#ssl_ecdh_curve secp521r1:secp384r1;
@@ -44,19 +44,26 @@
 	####	Strict Transport Security
 	# [WARNING] Strict-Transport-Security will stop HTTP access for specified time.
 	# [OPTION] Include sub-domains with HSTS.
-	
+
 	# Option 1. [DEFAULT] Current domain only.
 	add_header Strict-Transport-Security "max-age=31536000" always;
-	
+
 	# Option 2. includeSubDomains
 	# [WARNING] This will block HTTP access to sub-domains.
 	#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always
 
 
 	####	Preference & Protocols
 	ssl_prefer_server_ciphers on;
+	# [OPTION] Select SSL protocols.
+
+	# Option 1. [DEFAULT] TLSv1-1.2
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
+	# Option 2. Enable TLSv1.3
+	# [WARNING] Requires Nginx >=1.13.0 && OpenSSL >=1.1.1 built with TLSv1.3
+	#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+
 
 	####	Cipher List
 	# [OPTION] Pick on Cipher List from Below.