Menu
Why on my server still enabled SSLv3 ? I want to disable for reasons that in some computers can not open my page because of safety issues.
I found this guide:
But currently I've got it set. My server is hosted in Google Cloud, I currently have this Nginx configuration file:
...
ssl on;
ssl_certificate /etc/nginx/dba_certs/dba_ssl2/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/dba_certs/dba_keys/dba.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
...
OpenSSL version is 1.0.1f 6 Jan 2014.
What could be wrong?
245
To disable SSLv3 in another popular web server, NGINX, we need to edit the configuration file nginx.conf. And we add the following line to the server directive:
In Centos/RedHat 7.x+ servers, Apache restart command would be: Similarly, On Ubuntu and Debian servers, we need to do the following changes as root user. Run the command “ service apache2 restart “. 2. Nginx To disable SSLv3 in another popular web server, NGINX, we need to edit the configuration file nginx.conf.
For SSLv3, an easy way to do this is to check connection on port 443 of the server using the command : Replace example.com with your server name and 443 with your ssl port. Any result other than this means that server supports SSLv3. How to disable SSLv3 in Linux?
Exim mail server also make use of secure protocols in handling emails. As a result, we need to disable SSLv3 in Exim too. To do this, we need to make changes in the exim configuration file at /etc/exim.conf.
To disable SSLv3, you'll have to edit default server configuration, not just an arbitrary virtual host config. It can only be disabled for a listen socket, not just a virtual server. The configuration snippet you've provided suggests that you are using per-server included configuration files, so you'll have to find one with default_server in the appropriate listen directive, and disable SSLv3 there:
server {
listen 443 default_server ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...
}
Or, better yet, edit the configuration at http level, in nginx.conf:
http {
...
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...
}
You may also consider upgrading nginx to a recent version. In nginx 1.9.1+ SSLv3 is disabled by default.
126
I can confirm that SSL3 is enabled. To disable, you need to modify either the NGINX configuration (nginx.conf) or the VirtualHost configuration file. In your case it is probably the following file:
$ sudo vim /etc/nginx/sites-enabled/dragonboundaimbot.com
...
listen 443 default_server ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...
$ sudo service nginx restart
SSL3 is not the only problem though. Some of the cypher suites are depreciated and should not be used. Try to reduce the cypher-suites to the following:
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits RSA) FS 112
For other improvements, check e.g. the website with the Chrome browser and/or run an additional test on ssllabs.com.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
