Can’t pass securitymetrics.com PCI DSS compliance because a number of Weak Cipher Suites were found. Have commented out those in /etc/nginx/nginx.conf > ssl_ciphers and restarted, but still can’t pass the tests, so presumably there are more weak ciphers defined somewhere else (nginx proxy+apache+php8). Where are they?
To persist those changes made in nginx.conf, I understand have to create my own templates in /usr/local/hestia/data/templates/web/nginx and assign them to websites, but those are Web Domain templates at the server{} level at best. The ssl_ciphers directive is at the universal http{} level. How to properly approach this?
The ciphers are from Mozilla’s current intermediate cipher list. Current sites should allow the browser to choose the cipher which will speed up loading of your page and cipher handshake.
Hi Shawn, thank you for the hints. Unfortunately, they didn’t work for me and I’m still stuck at the same place. After all those tweaks and restart of NGINX I am still getting absolutely the same weak ciphers that fail in securitymetrics: https://postimg.cc/ftMDsvhp
I forgot to mention I’m behind Cloudflare (free), but think I should have configured the pertinent stuff accordingly, for example:
Minimum TLS Version: 1.2;
TLS 1.3 = enabled
Not sure if it’s a configuration problem, or a cache problem of some kind at this point? Have purged everything for the domain.com at the edge, and also cleared WP Fastest Cache (Wordpress), but it didn’t help.
If you are behind cloudflare, you cant do anything. Cloudflare is handling the ssl connection, so you probaly need to search a solution on clousflare side.