Enable TLSv1.3 and use consistent ciphers across listeners

salt/nginx/etc/nginx.conf

@@ -101,9 +101,8 @@ http {
 		ssl_session_cache shared:SSL:1m;
 		ssl_session_timeout  10m;
 		ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256;
-		ssl_ecdh_curve secp521r1:secp384r1;
 		ssl_prefer_server_ciphers on;
-		ssl_protocols TLSv1.2;
+		ssl_protocols TLSv1.2 TLSv1.3;
 	}
 
 	{%- endif %}
@@ -144,7 +143,7 @@ http {
 		ssl_session_timeout  10m;
 		ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256;
 		ssl_prefer_server_ciphers on;
-		ssl_protocols TLSv1.2;
+		ssl_protocols TLSv1.2 TLSv1.3;
         location / {
         	allow all;
         	sendfile on;
@@ -177,7 +176,7 @@ http {
 		ssl_session_timeout  10m;
 		ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256;
 		ssl_prefer_server_ciphers on;
-		ssl_protocols TLSv1.2;
+		ssl_protocols TLSv1.2 TLSv1.3;
 
 		location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) {
 			proxy_pass            http://{{ GLOBALS.manager }}:9822;