# Shared TLS configuration

## Use strong ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;

## Configure ssl session cache
## Improves performance but we don't wanna keep this forever
## Session ticket creation and rotation is handled by GrapheneOS's scripts:
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys

ssl_session_cache shared:SSL:10m; # About 40000 sessions
ssl_session_timeout 1d;
ssl_session_ticket_key session-ticket-keys/4.key;
ssl_session_ticket_key session-ticket-keys/3.key;
ssl_session_ticket_key session-ticket-keys/2.key;
ssl_session_ticket_key session-ticket-keys/1.key;

## The following settings need to be declared manually per vhost:
# ssl_certificate
# ssl_certificate_key
# ssl_trusted_certificate
# ssl_stapling_file