Detect the SSL security vulnerabilities and improve the site security with Nginx configuration

In the last week, we verify our web site routine with several tools to check the site performance and prevent any security hook. We hosted most of our web application on Amazon Web Services, and we always update any newer software weekly to keep our software does not any security vulnerability due to the outdated software. However, it seems wrong when we check the tool to verify how the security of our site with SSLTest service, the reason is we always use the latest software, but we do not upgrade our new configuration, supported protocols of the new software, and it makes our site is weak for the security attack.

 

Screen Shot 2016-06-25 at 10.55.46 PM

As you see in the report, we do not support the protocol TLS 1.2 but we still support SSLv3, it made our sites have several security threats that could harm to our users. Of course, we want all areas are green and below is what we did to improve our sites security with the Nginx configuration. You can convert the similar thing with Apache server easily.

Remove the support protocols SSLv2, SSLv3

The protocols SSLv2, SSLv3 are obsoleted, and the site administrators should remove it our of your supported protocols. You modify the SSL protocols in Nginx configuration file
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Using the Cipher Suite

Per the Mozilla documentation, you can use the two following cipher suites:

  • Modern compatibility:

ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

  • Intermediate compatibility:

ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

We prefer to use the second option because it supports all TLS protocols 1, 1.1 and 1.2, the older protocols which the old devices still require to access.

Support perfect forward secrecy

If forward secrecy is used, even the current private key is interfered but the past message could not be decrypted –  https://en.wikipedia.org/wiki/Forward_secrecy. By default, Nginx will generate 1024-bit RSA keys for PFS ciphers and SSLLab will warn you about the weak key exchange. Fortunately, you can override this setting by your own generated Diffie–Hellman key exchange-based PFSs by the command

openssl dhparam -out /ect/nginx/ssl/dhparam.pem 4096

Wait for a while to let OpenSSL creates the strong key exchange, then ask Nginx to use it

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Restart the Nginx server, and check the SSLTest again, and we have the green status of the security report.

Screen Shot 2016-06-25 at 10.58.04 PM

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *