Disable SSLv3 on Nginx
Why is SSLv3 still enabled on my server? I want to disable for reasons that some computers cannot open my page due to security issues.
I found this guide :
But currently I have it installed. My server is hosted on Google Cloud, currently I have this Nginx config file:
...
ssl on;
ssl_certificate /etc/nginx/dba_certs/dba_ssl2/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/dba_certs/dba_keys/dba.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
...
OpenSSL version 1.0.1f Jan 6, 2014
What could be wrong?
source to share
To disable SSLv3 you need to edit the default configuration , not just the arbitrary virtual host configuration. It can only be disabled for the listening socket, not just for the virtual server. The config snippet you provided assumes that you are using the config files included with the server, so you need to find it with default_server
in the appropriate directive listen
and disable SSLv3 there:
server {
listen 443 default_server ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...
}
Or, better yet, edit the configuration at the level http
, in nginx.conf
:
http {
...
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...
}
You might also consider upgrading nginx to the latest version. In nginx 1.9.1+ SSLv3 is disabled by default.
source to share
I can confirm that SSL3 is enabled. To disable, you need to change NGINX config (nginx.conf) or VirtualHost config file. In your case, this is probably the following file:
$ sudo vim /etc/nginx/sites-enabled/dragonboundaimbot.com
...
listen 443 default_server ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...
$ sudo service nginx restart
SSL3 isn't the only problem. Some of the cypher kits are discounted and should not be used. Try to reduce the number of cypher-suites to the following:
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits RSA) FS 112
For other improvements, check for example. a website with a Chrome browser and / or perform an additional test at ssllabs.com .
source to share
I have created a gist for the steps you need to follow to get an A rating on the Qualys SSL test. And steps to disable SSLv3 and use TSLv1 correctly
Add SSL Ciphers:
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES256-GCM-SHA38A-A- SHA256: DNE-DSS-AES128-GCM-SHA256: kEDH + AESGCM: ECDHE-RSA-AES128-SHA256: ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA: ECD-A-ECDE-ECDE-SHA RSA-AES256-SHA384: ECDHE-ECDSA-AES256-SHA384: ECDHE-RSA-AES256-SHA: ECDHE-ECDSA-AES256-SHA: DHE-RSA-AES128-SHA256: DHE-RSA-AES128-DSS- AES128 -SHA256: DHE-RSA-AES256-SHA256: DNE-DSS-AES256-SHA: DHE-RSA-AES256-SHA: AES128-GCM-SHA256: AES256-GCM-SHA384: AES128-SHA256: 256256: A-SHA12 SHA: AES256-SHA: AES: CAMELIA: DES-CBC3-SHA! ANULL: eNULL: EXPORT: DES: RC4: MD5: PSK: aECDH: EDH-DSS-DES-CBC3-SHA :! EDH-RSA-DES-CBC3 -SHA: krb5-DES-CBC3-SHA ';
Fix OpenSSL vulnerability for Oracle vulnerability:
https://gist.github.com/ArturT/bc8836d3bedff801dc324ac959050d12
ADD SSL Protocols:
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
Set your preferred ciphers:
ssl_prefer_server_ciphers on;
in the server block we must enable TCP v6 and v4 support
listen to 443 ssl;
listen [::]: 443 ssl;
add default_server to above block
listen to 443 default_server ssl;
listen [::]: 443 default_server ssl;
Or read here:
https://gist.github.com/kaushikgandhi/663e6e47d8a42025e848e454f5e064c4
source to share