ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
#cipherli.st: ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ciphers "EECDH+AES256GCM:EDH+AES256GCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;

ssl_ecdh_curve secp384r1;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

#sources
#  http://tautt.com/best-nginx-configuration-for-security/
#  https://sherbers.de/howto/nginx/
#  http://blog.rlove.org/2013/12/strong-ssl-crypto.html
#  https://cipherli.st