David - Musings of an SRE

Harden your SSL Security - The site is using outdated security.

This article should help you get a A-grade in SSLLabs’s SSL Testing .

Backstory

As of 26 September 2014, Chrome (and also Firefox) have started the process to sunset SHA1 certification support and will give the above error if you’re using a certificate that is signed with SHA1.

If you’ve just installed a newly issued SSL cert from your certification authority, you should be already be issued with a signed certificate in SHA-256 as most CA have already stopped signing them with SHA1.

If not, make sure you’ve request for a reissue of your certification with SHA-256.

Disable Support for SSLv3

In your server block configuration on NGINX, specifically allow for non-v3 SSL protocol.

server {
..
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
..

}

Run a Logjam Test

Using the free Diffie-Hellman Server Test, check if your site is vulnerable to poor encryption. If you are you’ll need to generate a unique DH group to help beef it up.

Create a new DH Group Key

  $ openssl dhparam -out dhparams.pem 2048

You should store this key in the same directory as your site’s existing certs.

Allow only certain Cipher Suites

  # in your nginx configuration
  server {
    ..
    ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ssl_prefer_server_ciphers on;
    ..
  }

Add your dhparam key into your configuration

  server {
    ..
    ssl_prefer_server_ciphers on;
    ssl_dhparam /path/to/your/dhparams.pem;
    ..
  }

Now, restart your NGINX are run the SSLLabs test again.

I hope this article can give you a quick hardening tip and should be part of any new https deployment.