FreeBSD, NGINX and TLSv1.3

After a six months hiatus here is a new blogpost.
This saturday I finally found the time to upgrade the configuration of the server that hosts this very website.
Software stack is pretty simple: FreeBSD (version 12.0-p6),nginx (version 1.15.10) and OpenSSL (version 1.1.1a-freebsd).

Install the required software:


$ pkg install nginx-devel py36-certbot

Get a SSL certificate from letsencrypt:


$ certbot-3.6 certonly --standalone -d domain.tld -d www.domain.tld

Certfiles location is /usr/local/etc/letsencrypt/live/<domain.tld>, you might, or might not, want to move them to another directory.

Generate a Diffie-Hellman global public parameters and save them in a folder with the appropriate permissions:


$ mkdir /usr/local/etc/nginx/ssl && cd /usr/local/etc/nginx/ssl
$ openssl dhparam -out dhparams.pem 4096
$ chmod 600 dhparam.pem

Nginx configuration can be found in /usr/local/etc/nginx, edit nginx.conf or the desired v.host file.


server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain.tld www.domain.tld;

    access_log      /var/log/nginx/domain.tld-ssl-access.log;
    error_log       /var/log/nginx/domain.tld-ssl-error.log;

    ssl_certificate      /usr/local/etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key  /usr/local/etc/nginx/ssl/domain.tld/privkey.pem;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  10m;
    ssl_session_tickets  off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/etc/nginx/ssl/cert.pem;

    ssl_protocols TLSv1.2 TLSv1.3;

    sl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    ssl_dhparam /usr/local/etc/nginx/ssl/dhparams.pem;
    keepalive_timeout    60;
}

Set Nginx service to start at boot by adding nginx_enable="YES" to /etc/rc.conf`.
TLS settings can be tested using the following command:


$ openssl s_client -connect domain.tld:443 -tlsv1_3

.:. Links

letsencrypt
ssllabs
mozilla wiki
mozilla ssl configuration generator