These are the ones pulling down the grade:
- This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO »
- This server supports anonymous (insecure) suites (see below for details). Grade set to F.
- The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
- This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO »
The server was installed quite some time ago on Digital Ocean, it could be that I just need the most recent default Nginx configs. I'll test. Btw, I have a startssl cert, should have choosen the www subdomain though, not "mail". I'll do an apt-get purge nginx before reinstalling and than manually add back the old settings.
You should have a configuration file ending in .dpkg-new with whatever settings the modern nginx package provides, no need to purge and reinstall.
Do you know exactly what problem you had? It might have been unrelated to debian's presets.
EDIT: a different server with a many-times-upgraded nginx package (but same version) has no `ssl_protocols` in /etc/nginx/nginx.conf and so had SSLv3 enabled. So i agree that this can happen. In my case it's probably a consequence of silent upgrades and `Dpkg::Options::=--force-conf{def,new,old}` choosing to preserve existing config files.