From cb0c7234a12d4a97bc55199c8b6bef9e7a46c0a0 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Sun, 29 Mar 2020 12:10:55 +0200
Subject: [PATCH] Support TLSv1.3, disable TLSv1 TLSv1.1 by default.

---
 install_nginx.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/install_nginx.sh b/install_nginx.sh
index e034f24..6106dfb 100755
--- a/install_nginx.sh
+++ b/install_nginx.sh
@@ -307,7 +307,10 @@ server {
    ssl_session_timeout 10m;
    ssl_session_tickets off;
 
-   ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE
+   #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
+   # omit SSLv3 because of POODLE
+   # omit  TLSv1 TLSv1.1
+   ssl_protocols TLSv1.2 TLSv1.3;
 
    # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
    # Everything better than SHA1 (deprecated)