Issue 299 and issue 385 - Drop support for RC4 and support IE6/WinXP clients

modules/nginx/templates/nginx.conf.erb

Index: modules/nginx/templates/nginx.conf.erb
===================================================================
--- a/modules/nginx/templates/nginx.conf.erb
+++ b/modules/nginx/templates/nginx.conf.erb
@@ -34,19 +34,19 @@ http {
   <% if scope.lookupvar('nginx::params::gzip') == 'on' %>
   gzip on;
   gzip_disable "msie6";
   gzip_min_length 100;
   gzip_buffers 4 8k;
   gzip_types text/plain text/xhtml text/css application/x-javascript text/xml application/atom+xml application/rss+xml;
   <% end %>
 
-  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA256 EECDH+aRSA+RC4 EDH+aRSA EECDH RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS !RC4 +3DES DES-CBC3-SHA";

[Felix Dahlke, 2014/04/26 22:19:47]

After figuring out how this works, I think it'd be more logical to move
DES-CBC3-SHA in front of !aNULL, wouldn't it?

Then we'd first have the supported suites, then the forbidden suites and finally
3DES at the end of the list.

[Wladimir Palant, 2014/04/27 20:35:34]

You are right, I did that. I also decided to change +3DES into -3DES - this way
we include only the one 3DES-based cipher that we need for IE support rather
than all of them.

   ssl_prefer_server_ciphers on;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
   <% if ssl_session_cache == 'on' %>
   ssl_session_cache shared:SSL:1m;
   <% else %>
   ssl_session_cache off;
   <% end %>
 
   types_hash_max_size 2048;