in Security, Web, Wheezy

How to disable SSLv3 in Nginx (protect against the POODLE vulnerability)

SSL 3.0 is an obsolete and insecure protocol recently affected by the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability which allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

SSLv3 has been replaced by TLS which is supported by all modern browsers so it should be safe to disable SSLv3.

Here’s how to identify sites supporting SSLv3 and disable it:

1. Get a list of all sites supporting SSLv3:

grep -r ssl_protocol /etc/nginx

This will give you a list of the sites currently supporting SSLv3:

/etc/nginx/sites-available/default:# ssl_protocols SSLv3 TLSv1;
/etc/nginx/sites-enabled/mysite.com: ssl_protocols SSLv3 TLSv1;

2. Now you need to open each file in a text editor (ex. pico /etc/nginx/sites-available/default)

Replace this line:

ssl_protocols SSLv3 TLSv1;

with:

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

3. When you have done that to all affected sites, restart Nginx:

/etc/init.d/nginx restart

Write a Comment

Comment