Jeff Palmer

Technology, and so on and such like.

Hardening SSL on Nginx

I’ve decided to enable SSL on my personal site https://palmerit.net

I installed nginx on a ubuntu 14.04 LTS server, generated a private SSL key, created a sha256 certificate signing request, and then went to NameCheap to have it signed. (As a side note, I can’t wait for Lets Encrypt to launch.)

I enabled SSL on nginx, and decided to check out which ciphers were allowed out of the box.

openssl s_client -connect https://palmerit.net

I’ve snipped the output for brevity, but of particular concern was this section:

ssl-enum-ciphers:
   SSLv3
     ciphers:
       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
       TLS_RSA_WITH_AES_128_CBC_SHA - strong
       TLS_RSA_WITH_AES_256_CBC_SHA - strong
       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
     compressors:
       NULL

You may have read about POODLE recently, and the best way to prevent it is to disable SSLv3. After seeing this result, I went to SSL Labs to see what else I needed to disable.

After the initial scan, I had a C rating. I knew at a minimum, I needed to disable SSLv3, but I also decided to enable some of the newer technologies such as SPDY, HSTS, and OSCP Stapling.

The end result was a configuration that looked like this:
In the main server block for palmerit.net, I added:

listen 443 ssl spdy;
include ssl.inc;

I then created /etc/nginx/ssl.inc which contained the following:

ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache shared:SSL:10m;

  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.4.4 8.8.8.8 valid=300s;
  resolver_timeout 10s;

  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  add_header Strict-Transport-Security max-age=63072000;
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

I decided to create this as an include in case I later decide to add additional “nginx server blocks”.

The final result from an SSL Labs scan: A+
Keep in mind, I used a very restrictive CipherSuite. This will block older clients from being able to connect. I personally don’t mind this(Personally, I think people should be using modern browsers and software), but you might not want to prohibit older clients to your site.

References: - Raymii.org - Strong SSL on nginx