[debops] defaults: Adopt NCSC-NL recommended curves.

There's some concern over the rigidity of prime256v1 because it's a NIST curve. See here for the rabbit hole: nodejs/node#1495 secp521r1 was erroneously copied. Since Mozilla gives no explanation why they recommend certain curves and it included prime256v1, the curves are replaced with NCSC-NL recommendation.
apapsch · Aug 6, 2020 · 6792e91 · 6792e91
1 parent 7cb65e1
commit 6792e91
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/ansible/roles/nginx/defaults/main.yml b/ansible/roles/nginx/defaults/main.yml
@@ -523,7 +523,7 @@ nginx_default_tls_protocols: '{{ [ "TLSv1.2", "TLSv1.3" ]
 #
 # See also: https://security.stackexchange.com/questions/31772/
 # Set to ``False`` to disable ECC.
-nginx_default_ssl_curve: 'secp521r1:secp384r1:prime256v1'
+nginx_default_ssl_curve: 'secp384r1:secp256r1:x448:x25519'
 
                                                                    # ]]]
 # .. envvar:: nginx_default_ssl_verify_client [[[