Hardening nginx, allow TLSv1.2 with the most secure cipher suites only (#340)

* Hardening nginx, allow TLSv1.2 with the most secure cipher suites only

* Ciphers added to allow more browsers to connect

util/Setup/NginxConfigBuilder.cs

@@ -7,11 +7,10 @@ namespace Bit.Setup
     {
         private const string ConfFile = "/bitwarden/nginx/default.conf";
         private const string SslCiphers =
-            "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:" +
-            "DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:" +
-            "ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:" +
-            "ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:" +
-            "AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
+            "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:" +
+            "ECDHE-RSA-CHACHA20-POLY1305:" +
+            "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:" +
+            "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256";
         private const string ContentSecurityPolicy =
             "default-src 'self'; style-src 'self' 'unsafe-inline'; " +
             "img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
@@ -116,9 +115,9 @@ server {{
                     }
 
                     sw.WriteLine($@"
-  # SSL protocols TLS v1~TLSv1.2 are allowed. Disabed SSLv3
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  # Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK
+  # SSL protocol TLSv1.2 is allowed. Disabed SSLv3, TLSv1, and TLSv1.1
+  ssl_protocols TLSv1.2;
+  # Enable most secure cipher suites only.
   ssl_ciphers ""{SslCiphers}"";
   # Enables server-side protection from BEAST attacks
   ssl_prefer_server_ciphers on;");