Recently bunch of SSL attacks pop out, some of which get lot of public attention:
- Heartbleed
- Beast attack
- Crime attack
- Freak attack
- Poodle
- …..and so on ….
Disabling SSLv3 and SSLv2 and Excluding Weak Cipher-Suites
If you want to protect your Nginx from the biggest part of these attacks, you can add the following code snippet to your Nginx config:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m;
Check Nginx configuration and restart
/etc/init.d/nginx configtest /etc/init.d/nginx reload
Protecting from Logjam and Deploying Diffie-Hellman for TLS
1. Generate Strong DH
openssl dhparam -out dhparams.pem 2048
2. Copy to nginx dir
cp dhparams.pem /etc/nginx/conf.d/
3. Configure Nginx to use the new dhparams file
ssl_dhparam /etc/nginx/conf.d/dhparams.pem;
4. Check Nginx configuration and restart
/etc/init.d/nginx configtest /etc/init.d/nginx reload
External resources and Tools
Detail info on different attacks and how to protect yourself
Check if you are using weak DH and how to fix it: https://weakdh.org/sysadmin.html
Checking your overall site security: https://www.ssllabs.com/ssltest/analyze.html