The default CIPHERS allowed for a fair amount of not really considered
secure anymore connections. This updated cipher list is taken from
mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
method => 'any',
sslv2 => 0,
sslv3 => 0,
- cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
+ cipher_list => $proxyconf->{CIPHERS} || 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
key_file => '/etc/pve/local/pve-ssl.key',
cert_file => '/etc/pve/local/pve-ssl.pem',
},