Nginx – Hardening SSL security by protecting from well-known attack vectors

Published on Author gryzliLeave a comment

Recently bunch of SSL attacks pop out, some of which get lot of public attention:

  • Heartbleed
  • Beast attack
  • Crime attack
  • Freak attack
  • Poodle
  • …..and so on ….

 

Disabling SSLv3 and SSLv2 and Excluding Weak Cipher-Suites

 

If you want to protect your Nginx from the biggest part of these attacks, you can add the following code snippet to your Nginx config:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

 

Check Nginx configuration and restart

/etc/init.d/nginx configtest

/etc/init.d/nginx reload

 

Protecting from Logjam and Deploying Diffie-Hellman for TLS

1. Generate Strong DH

openssl dhparam -out dhparams.pem 2048

2. Copy to nginx dir

cp dhparams.pem /etc/nginx/conf.d/

3. Configure Nginx to use the new dhparams file

ssl_dhparam /etc/nginx/conf.d/dhparams.pem;

 

4. Check Nginx configuration and restart

/etc/init.d/nginx configtest

/etc/init.d/nginx reload

 

External resources and Tools

Detail info on different attacks and how to protect yourself

Check if you are using weak DH and how to fix it: https://weakdh.org/sysadmin.html

Checking your overall site security: https://www.ssllabs.com/ssltest/analyze.html

Leave a Reply

Your email address will not be published. Required fields are marked *