My Crypto Configs

nginx.conf

        listen              443 ssl;
        ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         kECDH:HIGH:!aNULL:!MEDIUM:!LOW:!NULL:!SSLv2:!ADH@STRENGTH;
        ssl_prefer_server_ciphers on;
        ssl_certificate      /path/to/file.crt;
        ssl_certificate_key  /path/to/file.key;

        #to enable forward secrecy. Generate the file using
        #openssl dhparam -outform PEM -out dh.pem 1024
        ssl_dhparam /path/to/dh.pem;
        
        #ocsp stapling, only supported with new nginx version
        #not relevant for crypto, but speeds up initial handshake.
        ssl_stapling on;
        ssl_stapling_file /path/to/file.resp;
        ssl_stapling_responder http://rapidssl-ocsp.geotrust.com/;

prosody.conf.lua

-- warning: the ciphers parameter is only supported with prosody 0.9 upwards
-- forward secrecy is currently broken in luasec, to use it, you have to install
-- http://prosody.im/doc/depends/luasec/prosody
ssl = {
  key = "/path/to/file.key";
  certificate = "/path/to/file.crt";
  options = { "no_sslv2", "no_ticket", "no_compression", "no_sslv3" };
  ciphers = "kECDH:HIGH:!MEDIUM:!LOW:!NULL:!DSS:!AES128-SHA:!AES128-SHA256:!CAMELLIA128-SHA:!aNULL@STRENGTH";
  --openssl dhparam -outform PEM -out dhparam.pem 1024
  dhparam = "/path/to/dh.pem"
}

-- not per se a crypto feature, but might still be a good idea:
c2s_require_encryption = true
s2s_require_encryption = true