Debian Tutorials

Debian Tutorials


Step by step tutorials showing you how to install and configure various applications and services on Debian based Linux distros.

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories


How to disable SSLv3 in Nginx (protect against the POODLE vulnerability)

Ástþór IPÁstþór IP

SSL 3.0 is an obsolete and insecure protocol recently affected by the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability which allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

SSLv3 has been replaced by TLS which is supported by all modern browsers so it should be safe to disable SSLv3.

Here’s how to identify sites supporting SSLv3 and disable it:

1. Get a list of all sites supporting SSLv3:

grep -r ssl_protocol /etc/nginx

This will give you a list of the sites currently supporting SSLv3:

/etc/nginx/sites-available/default:# ssl_protocols SSLv3 TLSv1;
/etc/nginx/sites-enabled/mysite.com: ssl_protocols SSLv3 TLSv1;

2. Now you need to open each file in a text editor (ex. pico /etc/nginx/sites-available/default)

Replace this line:

ssl_protocols SSLv3 TLSv1;

with:

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

3. When you have done that to all affected sites, restart Nginx:

/etc/init.d/nginx restart

Comments 0
There are currently no comments.