Home / server / Questions / 690589
Accepted
Drifter104
Asked: 2015-05-09 03:53:08 +0800 CST

Nginx reverting to sslv3

  • 772

I'm using nginx as a reverse proxy and I'm trying to turn off sslv3 support.
I have found various answers both on here and other various sites. They all suggest all I need to do is add something like the following to the default http block in my nginx.conf 

ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                 "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!RC4";
ssl_prefer_server_ciphers   on;

I've done that and have even tried this full config from https://cipherli.st/ 

ssl_ciphers "AES128+EECDH:AES128+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;

I still only get a 'C' rating on SSL Labs (regardless of any change I make), with the following reasons

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
This server accepts the RC4 cipher, which is weak. Grade capped to B.

I have also restarted the server so I know the configuration changes have been applied.

nginx -v
nginx version: nginx/1.9.0

/etc/issue
Ubuntu 14.04.2 LTS \n \l

openssl version -a
OpenSSL 1.0.1f 6 Jan 2014 built on: Thu Mar 19 15:12:02 UTC 2015 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl"

Any suggestions?

nginx

1 Answers

  1. Best Answer

    I believe your openssl version is the problem. The openssl group recommends version 1.01j minimum.

    Also, check your cipher. Isn't there supposed to be a colon before !RC4?

    • 3