From 26cc4ce79a6093ccb6710fc0716e29ae2450d75a Mon Sep 17 00:00:00 2001
From: dandds <dan-ctr@friends.dds.mil>
Date: Wed, 29 Jan 2020 16:48:33 -0500
Subject: [PATCH] Disable cipher export for TLS negotiation.

In order to meet compliance requirements, this adds the EXPORT option to
NGINX's ssl_cipher config. Extended discussion here:

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
---
 deploy/azure/nginx-snippets.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/azure/nginx-snippets.yml b/deploy/azure/nginx-snippets.yml
index 916d9524..dfd37a8a 100644
--- a/deploy/azure/nginx-snippets.yml
+++ b/deploy/azure/nginx-snippets.yml
@@ -10,7 +10,7 @@ data:
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
     # Set SSL protocols, ciphers, and related options
     ssl_protocols TLSv1.3 TLSv1.2;
-    ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!EXPORT;
     ssl_prefer_server_ciphers on;
     ssl_ecdh_curve X25519:prime256v1:secp384r1;
     ssl_dhparam /etc/ssl/dhparam.pem;