How to disable SSLv3 to prevent POODLE attacks?

O

oleg_sidorenkov2015-08-26 10:33:42

Nginx

oleg_sidorenkov, 2015-08-26 10:33:42

I am engaged in the protection of a web page by means of a certificate. Decided to check it out on qualys ssl labs. I saw the shoals and decided to understand. First of all, I decided to eliminate the POODLE attack threat. Here is what the check says: This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. I read articles and realized that I need to disable the outdated sslv3 protocol, leaving only different versions of tls. (Actually, of all browsers, sslv3 only uses ie6 on windows xp, so it's okay if these clients fail to log in). nginx 1.8 web server. Further dug on guides. I came across an article: https://www.linode.com/docs/security/security-patc...
Made according to the manual. but after verification, the protocol is still working.
My settings are:
server {
listen 80;
listen 443 ssl;
server_name my.domain.ru;
ssl on;
ssl_certificate /path/to/cert/domain.crt;
ssl_certificate_key /path/to/key/domain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
access_log /var/log/nginx/my.domain.ru.conf.access_log main;
error_log /var/log/nginx/my.domain.ru.conf.error_log info;
###root /var/www/localhost/htdocs;
location / {
proxy_pass http://127.0.0.1:8080;
include /etc/nginx/proxy.conf;
}
}
Actually, where did you forget to tweak it to get rid of SSLv3 ?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

N

Nazar Mokrinsky, 2015-08-26
@nazarpc

Have you restarted Nginx? It is better to register this in nginx.conf in general and not reconfigure it in virtual hosts.
Also, replace the ciphers with this:
Well, it is desirable to enable HSTS.
I also somehow got confused, A + is not difficult to get, you just need to spend a little time and set it up again.