Skip to content

Instantly share code, notes, and snippets.

@rmoriz

rmoriz/howto.md

Created June 21, 2012 11:11
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save rmoriz/2965167 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save rmoriz/2965167 to your computer and use it in GitHub Desktop.
Download ZIP
Qualys nginx SSL/TLS Admin Ego Enlargement How-To
Raw
howto.md

Qualys nginx SSL/TLS Admin Ego Enlargement How-To

Configure nginx to get 94/98 points:

nginx.conf

http {
  ...
  ssl_session_cache    shared:SSL:10m;
  ssl_session_timeout  10m;
  ...
}

server/site

98 points but vulnerable to BEAST (TLSv1 clients):

server {
  ...
  ssl on;
  ssl_certificate           /etc/ssl/certs/cert.crt;
  ssl_certificate_key       /etc/ssl/private/key.key;
  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               AES256-SHA256:AES256-SHA;
  ssl_prefer_server_ciphers on;
  ...
}

only 94 points, but not vulnerable for BEAST:

server {
  ...
  ssl on;
  ssl_certificate           /etc/ssl/certs/cert.crt;
  ssl_certificate_key       /etc/ssl/private/key.key;
  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
  ssl_prefer_server_ciphers on;
  ...
}

Versions

Ubuntu 12.04 LTS

ii  nginx                                1.1.19-1                       small, but very powerful and efficient web server and mail proxy
ii  nginx-common                         1.1.19-1                       small, but very powerful and efficient web server (common files)
ii  nginx-full                           1.1.19-1                       nginx web server with full set of core modules

ii  openssl                              1.0.1-4ubuntu5.2               Secure Socket Layer (SSL) binary and related cryptographic tools

nginx -V
nginx version: nginx/1.1.19
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.1.19/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.1.19/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.1.19/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.1.19/debian/modules/nginx-dav-ext-module

Example

see https://www.ssllabs.com/ssltest/analyze.html?d=roland.io

enjoy!

  • Roland (roland@ moriz.de)
@cossou
Copy link
Copy Markdown

cossou commented Aug 5, 2013

Thanks! It was helpful!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment