Hardening Nginx SSL/TSL Configuration

Days ago I had to investigate a SSL issue in one of my customer’s servers, he installed a SSL certificate but the Nginx SSL configuration was not hardened at all, so he was getting a very poor grade while checking his site at SSL Server Test.

In the same case, if you have a grade lower than A, you should try to optimize your Nginx SSL configuration. Here are some tips to harden your Nginx SSL Configuration.

1) Protocol Support

By saying “SSL” you should think it’s one single security protocol, but in fact it is not. One thing you have to know is there are many “SSL” protocols:

SSL 1.0 – SSL 2.0 – SSL 3.0

TLS 1.0 – TLS 1.1 – TLS 1.2

Both, SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols which are designed to provide communication security over the Internet. However, at present, SSL v1, v2 and v3 are more insecure than TLS protocols. TLS it’s the default used on most SSL servers as it is a more robust security protocol than it’s predecesor (SSL).

So, first step is disable old SSL protocols, most people disable only sslv2, however if TLS 1.0 suffers a downgrade attack, the attacker could force a SSLV3 connection and break the SSL PFS (perfect forward secrecy), a key part of the SSL cryptographic system.

Add this to your Nginx.conf:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

2) Cipher Suite Configuration

These are very agressive rules I use, please tweak as you need:

ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';

Let’s also disable Beast Attacks adding this into your Nginx configuration:

ssl_prefer_server_ciphers on;

3) Configure Stronger DHE Parameters

As of version 1.4.4 Nginx still rely on OpenSSL for input parameters to Diffie-Hellman cryptographic protocol. This means that DHE (Ephemeral Diffie-Hellman) will use OpenSSL’s default cryptographic values, this will result in a 1024-bit key. Today most people use 2048-bit certificates, so we need to generate a stronger DHE parameter in our server:

cd /etc/ssl/certs && openssl dhparam -out dhparam.pem 2048

Now configure Nginx at http or server block level to use the new parameters:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

4) HSTS

If you are able, you should consider enabling HSTS (HTTP Strict Transport Security) mechanism, which let browsers to communicate with your websites only over HTTPS protoocl. This mechanism is very important to reduce man in the middle attacks, for examle. In order to enable HSTS on Nginx, you shoul need to add this code to your virtual host or server block of your site:

add_header Strict-Transport-Security max-age=15768000;

Virtual Host Example:

server {

listen 80;

add_header Strict-Transport-Security max-age=15768000;

return 301 https://www.yourwebsite.com$request_uri;

}

5) SSL TEST

How can I test if my SSL security grade? There is an amazing website called Qualys SSL Labs, this company has some great SSL testing tools like:

SSL Server Test

SSL Client Test

Need to read more about SSL hardening? Check out SSLLabs Best Practices

Источник: Hardening Nginx SSL/TSL Configuration.

Comments are closed.