3

I'm having an issue trying to disable SSLv3 on my nginx installation.

HTTPS works fine, but I just can't seem to disable SSLv3 and it makes my site vulnerable to the POODLE attack. Also, for some reason the connection is encrypted over 128-bit instead of 256-bit even though I got a 256-bit certificate.

Nginx version: 1.6.2

Here's what I entered into my server block on the site I wanted to use:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers On;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

Thanks!

Svenskunganka
  • 185
  • 1
  • 4
  • 11
  • The number of bits isn't the only factor in encryption. Also, the size of the private key used to generate your certificate is certainly not 256-bit, as (for RSA) that would be really weak. The `ssl_protocols` line you use seems correct, so I would check Mozilla's documentation on how to choose the ciphers – gparent Oct 31 '14 at 14:12
  • The size is 2048 if I recall correctly. Do you have a link to Mozilla's docs that I can use? – Svenskunganka Oct 31 '14 at 14:13
  • Thanks gparent for the link to the other post. Was searching alot but couldn't find anything. Thank you, that solved it for me! – Svenskunganka Oct 31 '14 at 14:26
  • @Svenskunganka http://nginx.com/blog/nginx-poodle-ssl/ – alexus Oct 31 '14 at 14:44
  • 3
    I had set the protocols correctly, but it still wasn't disabled until I set them correctly on ALL virtualhosts on that server. `openssl s_client -connect :443 -ssl3` lets you test if SSL3 is enabled and was what gave me the hint in that direction. – Daniel Jan 16 '15 at 13:10
  • Has anyone find out why? It still accepts SSLv3 even after restarting. – Jürgen Paul Jan 23 '15 at 09:57
  • 1
    @Daniel is right, the configuration needs to be applied to all virtual hosts or the surrounding http block. I had the same problem, I only applied it to one server block and it wasn't working. – Nenad Vukicevic Mar 04 '15 at 12:48

1 Answers1

2

1. Disabling SSLv3

The only line you need to use to make nginx stop using is you first one, ie

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

If you still see nginx using SSLv3, then your new configuration has most probably not been applied.

Use nginx -t to test your configuration, then reload the service by using:

service nginx reload

or send a SIGHUP signal to the nginx master process.

To check that no error happened and that the configuration reload happened flawlessly, monitor your main error_log (the one defined at the highest level, typically main) closely. Errors will pop-up there if something is wrong (ie due to SSL certificates or anything not detectable at configuration validation time)

2. Ciphers

Ciphers have nothing to do with your key size. They are negociated between client and server to choose common supported cipher suites in order to execute the 4 parts of the SSL protocol where digests/hashes/signatures are needed.

Different qualities of different cipher suites suits better to certain steps than to others.

More information about cipher suites is available @Wikipedia.

Bernard Rosset
  • 1,323
  • 12
  • 24