Harden your SSL Security - The site is using outdated security.

def test
  puts hello world
end

If you’ve seen the following warning on your browser when accessing your already
configured nginx SSL, you probably need to work on getting it compliant.

There’s a couple of reasons why you’re getting the error and it may not be
apparent what exactly is the cause.

This article should help you get a A-grade in SSLLabs’s SSL Testing
.

Backstory

As of 26 September 2014, Chrome (and also Firefox) have started the process to
sunset SHA1 certification
support
and will give the above error if you’re using
a certificate that is signed with SHA1.

If you’ve just installed a newly issued SSL cert from your certification
authority, you should be already be issued with a signed certificate in SHA-256
as most CA have already stopped signing them with SHA1.

If not, make sure you’ve request for a reissue of your certification with
SHA-256.

###Disable Support for SSLv3

In your server block configuration on NGINX, specifically allow for non-v3
SSL protocol.

server {
..
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
..

}

###Run a Logjam Test

Using the free Diffie-Hellman Server Test,
check if your site is vulnerable to poor encryption. If you are you’ll need to
generate a unique DH group to help beef it up.

Create a new DH Group Key

$ openssl dhparam -out dhparams.pem 2048

You should store this key in the same directory as your site’s existing certs.

Allow only certain Cipher Suites

# in your nginx configuration
  server {
    ..
    ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ssl_prefer_server_ciphers on;
    ..
  }

Add your dhparam key into your configuration

server {
    ..
    ssl_prefer_server_ciphers on;
    ssl_dhparam /path/to/your/dhparams.pem;
    ..
  }

Now, restart your NGINX are run the SSLLabs test
again
.

I hope this article can give you a quick hardening tip and should be part of
any new https deployment.