From 7fe08beb9a9a472667b388fe95b296e0b72ad6dc Mon Sep 17 00:00:00 2001
From: Emilien Mantel <emilien.mantel@gmail.com>
Date: Thu, 15 Mar 2018 18:13:13 +0100
Subject: [PATCH] Enable TLSv1.3 on nginx v1.13.0

---
 templates/etc/nginx/helper/ssl-legacy.j2 | 2 +-
 templates/etc/nginx/helper/ssl-strong.j2 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/etc/nginx/helper/ssl-legacy.j2 b/templates/etc/nginx/helper/ssl-legacy.j2
index 780f909..9edc801 100644
--- a/templates/etc/nginx/helper/ssl-legacy.j2
+++ b/templates/etc/nginx/helper/ssl-legacy.j2
@@ -3,7 +3,7 @@
 #
 
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2{% if nginx_version.stdout | version_compare('1.13.0', 'ge') %} TLSv1.3{% endif %};
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
diff --git a/templates/etc/nginx/helper/ssl-strong.j2 b/templates/etc/nginx/helper/ssl-strong.j2
index 2264ac9..9f92ab1 100644
--- a/templates/etc/nginx/helper/ssl-strong.j2
+++ b/templates/etc/nginx/helper/ssl-strong.j2
@@ -3,7 +3,7 @@
 #
 
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2{% if nginx_version.stdout | version_compare('1.13.0', 'ge') %} TLSv1.3{% endif %};
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};