Update nginx to 1.17.3, enable TLS 1.3

Uses the current intermediate recommended config from
https://ssl-config.mozilla.org

Closes #92

site-cookbooks/kosmos-nginx/files/default/nginx_tls_config.conf

@@ -3,12 +3,10 @@ ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
 ssl_session_tickets off;
 # Disable insecure cyphers
-ssl_protocols TLSv1.2;
-ssl_prefer_server_ciphers on;
-# From https://mozilla.github.io/server-side-tls/ssl-config-generator/
-# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
-# We don't have a lot of those cyphers (using Ubuntu 15.04), but CBC is insecure:
-# https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+# From https://ssl-config.mozilla.org
+# Oldest compatible clients:  Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9
+ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
 # Unique DH Group, see https://weakdh.org/sysadmin.html
 ssl_dhparam /etc/ssl/private/dhparams.pem;