From 85eddc490cd4f3f2d9b7c33a86df3745100f13e6 Mon Sep 17 00:00:00 2001
From: Lewis Goddard <lewisgoddard@eustasy.org>
Date: Mon, 28 Aug 2017 00:41:14 +0100
Subject: [PATCH] Add additional ssl_ecdh_curve option

---
 nginx-config/directive/bubbly_rock-hard-ssl.conf | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/nginx-config/directive/bubbly_rock-hard-ssl.conf b/nginx-config/directive/bubbly_rock-hard-ssl.conf
index 73c03ee..e8d87b0 100644
--- a/nginx-config/directive/bubbly_rock-hard-ssl.conf
+++ b/nginx-config/directive/bubbly_rock-hard-ssl.conf
@@ -32,16 +32,22 @@
 	# Option 1. [DEFAULT] Typically sufficient.
 	ssl_ecdh_curve secp384r1;
 
-	# Option 2. Slightly better with a larger generation.
+	# Option 2. Slightly better.
 	# [WARNING] Slower and breaks some IE on mobiles.
 	#ssl_ecdh_curve secp521r1;
+	
+	# Option 3. Allow either on modern systems.
+	# [WARNING] Only for for nginx >= 1.11.0 and openssl >= 1.0.2
+	#ssl_ecdh_curve secp521r1:secp384r1;
 
 
 	####	Strict Transport Security
 	# [WARNING] Strict-Transport-Security will stop HTTP access for specified time.
 	# [OPTION] Include sub-domains with HSTS.
+	
 	# Option 1. [DEFAULT] Current domain only.
 	add_header Strict-Transport-Security "max-age=31536000" always;
+	
 	# Option 2. includeSubDomains
 	# [WARNING] This will block HTTP access to sub-domains.
 	#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always