From 1c75b6dacde82df9acfd21dce0dc2625249a28d5 Mon Sep 17 00:00:00 2001
From: sydneyli <sydney@eff.org>
Date: Fri, 28 Jun 2019 12:16:52 -0700
Subject: [PATCH] Update Nginx conf file to match Mozilla's security
 recommendations (#7163)

Fixes #7089
---
 certbot-nginx/certbot_nginx/constants.py               | 2 ++
 certbot-nginx/certbot_nginx/options-ssl-nginx-old.conf | 2 +-
 certbot-nginx/certbot_nginx/options-ssl-nginx.conf     | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/certbot-nginx/certbot_nginx/constants.py b/certbot-nginx/certbot_nginx/constants.py
index cec7acaf5..3f22000eb 100644
--- a/certbot-nginx/certbot_nginx/constants.py
+++ b/certbot-nginx/certbot_nginx/constants.py
@@ -24,6 +24,7 @@ UPDATED_MOD_SSL_CONF_DIGEST = ".updated-options-ssl-nginx-conf-digest.txt"
 
 SSL_OPTIONS_HASHES_NEW = [
     '63e2bddebb174a05c9d8a7cf2adf72f7af04349ba59a1a925fe447f73b2f1abf',
+    '2901debc7ecbc10917edd9084c05464c9c5930b463677571eaf8c94bffd11ae2',
 ]
 """SHA256 hashes of the contents of versions of MOD_SSL_CONF_SRC for nginx >= 1.5.9"""
 
@@ -34,6 +35,7 @@ ALL_SSL_OPTIONS_HASHES = [
     '7f95624dd95cf5afc708b9f967ee83a24b8025dc7c8d9df2b556bbc64256b3ff',
     '394732f2bbe3e5e637c3fb5c6e980a1f1b90b01e2e8d6b7cff41dde16e2a756d',
     '4b16fec2bcbcd8a2f3296d886f17f9953ffdcc0af54582452ca1e52f5f776f16',
+    'c052ffff0ad683f43bffe105f7c606b339536163490930e2632a335c8d191cc4',
 ] + SSL_OPTIONS_HASHES_NEW
 """SHA256 hashes of the contents of all versions of MOD_SSL_CONF_SRC"""
 
diff --git a/certbot-nginx/certbot_nginx/options-ssl-nginx-old.conf b/certbot-nginx/certbot_nginx/options-ssl-nginx-old.conf
index 292d42984..627bafadb 100644
--- a/certbot-nginx/certbot_nginx/options-ssl-nginx-old.conf
+++ b/certbot-nginx/certbot_nginx/options-ssl-nginx-old.conf
@@ -4,7 +4,7 @@
 # the up-to-date file that you will need to refer to when manually updating
 # this file.
 
-ssl_session_cache shared:le_nginx_SSL:1m;
+ssl_session_cache shared:le_nginx_SSL:10m;
 ssl_session_timeout 1440m;
 
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
diff --git a/certbot-nginx/certbot_nginx/options-ssl-nginx.conf b/certbot-nginx/certbot_nginx/options-ssl-nginx.conf
index 57a332d2f..3cc2b9b28 100644
--- a/certbot-nginx/certbot_nginx/options-ssl-nginx.conf
+++ b/certbot-nginx/certbot_nginx/options-ssl-nginx.conf
@@ -4,7 +4,7 @@
 # the up-to-date file that you will need to refer to when manually updating
 # this file.
 
-ssl_session_cache shared:le_nginx_SSL:1m;
+ssl_session_cache shared:le_nginx_SSL:10m;
 ssl_session_timeout 1440m;
 ssl_session_tickets off;