Friday, November 11, 2016

ssl - Nginx sslv3 poodle disable



I tried setup SSL cert without SSLv3 in my nginx, but SSL Labs say, my server have SSLv3 how to disable it.



My config:



    add_header Strict-Transport-Security max-age=31536000;

    add_header X-Frame-Options DENY;

    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';

Answer



Here is a good Tutorial how to configure nginx with the best settings.




https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html



Your configuration for SSLv3 is correct.



ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


In the post is a section for your ciphers.




ssl_ciphers 'AES256+EECDH:AES256+EDH';

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...