Disable SSLv3 on Nginx

Question

Why on my server still enabled SSLv3 ? I want to disable for reasons that in some computers can not open my page because of safety issues.

I found this guide:

But currently I've got it set. My server is hosted in Google Cloud, I currently have this Nginx configuration file:

...
ssl on;
ssl_certificate /etc/nginx/dba_certs/dba_ssl2/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/dba_certs/dba_keys/dba.key;

ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
...

OpenSSL version is 1.0.1f 6 Jan 2014.

What could be wrong?

Yes. Even that configuration was when I installed my certificates. This only happens on some computers, for example in my computer the page opens normally. — Walter Chapilliquen - wZVanG, Jul 24 '15 at 23:18
I do not think there is a connection between the error you get from the computers and sslv3, POODLE aware browsers does not handshake with sslv3. You may get certificate untrusted error because you may not have CA's intermediate certificate in your ssl-bundle.crt. Do you? — Burak Tamtürk, Jul 25 '15 at 00:01
@BurakTamtürk I followed this [guide](http://helpdesk.ssls.com/hc/en-us/articles/203427642-How-to-install-a-SSL-certificate-on-a-NGINX-server). I combined the 4 certificates files. — Walter Chapilliquen - wZVanG, Jul 25 '15 at 00:27
Browsers aware the POODLE attack just does not prefer to handshake on SSL3, in case they should handshake on TLS, they should not give an error since they're patched to not handshake on SSL3, and the rest unaware browsers can't complain too, because they don't know about POODLE. You may start looking elsewhere for the problem, your certificate might be signed with SHA1, which chrome shows yellow sign or you might load images, css, or fonts from http, which some browsers may refuse to download the content. You might try to open a new question for the error you get from some browsers. Good luck — Burak Tamtürk, Jul 25 '15 at 00:39
OpenSSL 1.0.1f 6 Jan 2014. I used this [checker](https://sslanalyzer.comodoca.com/?url=dragonboundaimbot.com). You can see some issues?. In that case, what step I follow? — Walter Chapilliquen - wZVanG, Jul 26 '15 at 06:19
Is Nginx reading the right configuration files? You may want to disable SSL to see whether HTTPS is still working (if it is still working, then it's the wrong file) — Tan Hong Tat, Jul 27 '15 at 02:35
Could you please try and show a minimal non-working nginx configuration? Which OS is running? — sebix, Jul 27 '15 at 18:39

score 9 · Accepted Answer · answered Jul 29 '15 at 18:28

To disable SSLv3, you'll have to edit default server configuration, not just an arbitrary virtual host config. It can only be disabled for a listen socket, not just a virtual server. The configuration snippet you've provided suggests that you are using per-server included configuration files, so you'll have to find one with default_server in the appropriate listen directive, and disable SSLv3 there:

server {
    listen 443 default_server ssl;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ...
}

Or, better yet, edit the configuration at http level, in nginx.conf:

http {
    ...
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ...
}

You may also consider upgrading nginx to a recent version. In nginx 1.9.1+ SSLv3 is disabled by default.

The second method is cleaner, it has now been deactivated. While I'm thinking of upgrading Nginx, but I do not because I doubt that something will not work. Thank You. — Walter Chapilliquen - wZVanG, Aug 01 '15 at 14:59

rvaneijk · Answer 2 · 2015-07-31T09:02:49.277

I can confirm that SSL3 is enabled. To disable, you need to modify either the NGINX configuration (nginx.conf) or the VirtualHost configuration file. In your case it is probably the following file:

$ sudo vim /etc/nginx/sites-enabled/dragonboundaimbot.com

        ...
        listen 443 default_server ssl;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ...

$ sudo service nginx restart

SSL3 is not the only problem though. Some of the cypher suites are depreciated and should not be used. Try to reduce the cypher-suites to the following:

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)  256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)     256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)  128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)     128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)     112
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)   FS     256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)   FS    256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)   FS     128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)   FS    128
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH 256 bits (eq. 3072 bits RSA)   FS   112

For other improvements, check e.g. the website with the Chrome browser and/or run an additional test on ssllabs.com.

We don't even know what configuration files are in use and what's in them. — sebix, Jul 29 '15 at 08:07
I suggest to get in touch with a technician of the ISP that is hosting the site. — rvaneijk, Jul 29 '15 at 12:32
I appreciate your answer, but I realized that the solution was written before on the other response. Thank you very much anyway. — Walter Chapilliquen - wZVanG, Aug 01 '15 at 15:03
@wZVanG The other answer by maxim-dounin has been read *two days after* that one. — sebix, Aug 02 '15 at 17:53
@sebix, I only improved it slightly to make it the answer better to understand. — rvaneijk, Aug 05 '15 at 15:19

kaushik gandhi · Answer 3 · 2016-10-13T11:05:39.860

I have created a gist for the steps to be followed to get a A rating in Qualys SSL test. And steps to disable SSLv3 and enable TSLv1 in proper way

Add SSL ciphers :

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

Fix OpenSSL Padding Oracle vulnerability :

https://gist.github.com/ArturT/bc8836d3bedff801dc324ac959050d12

ADD SSL protocols:

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

Set Preferred ciphers on:

ssl_prefer_server_ciphers on;

in the server block we should enable TCP v6 and v4 support

listen 443 ssl;

listen [::]:443 ssl;

add default_server in the above block

listen 443 default_server ssl;

listen [::]:443 default_server ssl;

Or Read here :

https://gist.github.com/kaushikgandhi/663e6e47d8a42025e848e454f5e064c4

Disable SSLv3 on Nginx

3 Answers3