The current example value for ssl_ciphers in nginx (HIGH:!aNULL:!MD5) has a
number of security issues, including:

- Weak DH key exchange / vulnerability to logjam attack

- Preferring AES-CBC instead of GCM, which causes an 'obsolete cipher
suite' message in recent versions of Chrome

- 128 bit AES should be preferred over 192 and 256 bit AES considering
attacks that specifically affect the larger key sizes but do not affect AES
128

Users who are aware that the values presented are an issue may typically
use tools like Mozilla's SSL Config Generator
https://mozilla.github.io/server-side-tls/ssl-config-generator,
https://cipherli.st, or various blogs that are hopefully up to date.

However:

- Many users will not be aware this is an issue, and may simply uncomment
the example ssl config provided.
- The official nginx docs at
http://nginx.org/en/docs/http/configuring_https_servers.html#compatibility
state
'configuring (ssl_ciphers) explicitly is generally not needed' which is
incorrect.
- nginx has fixed this in the past multiple times, most recently in 1.0.5,
see
http://nginx.org/en/docs/http/configuring_https_servers.html#compatibility
:

Version 1.0.5 and later: the default SSL ciphers are “HIGH:!aNULL:!MD5”.
Version 0.7.65, 0.8.20 and later: the default SSL ciphers are
“HIGH:!ADH:!MD5”.
Version 0.8.19: the default SSL ciphers are
“ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM”.
Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are
“ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP”.

- nginx, like all software, should use secure examples

The following patch matches the 'intermediate' settings in Mozilla's TLS
Configurator, including IE7 upwards for wide compatibility. Note: I've used
a maximum text width of 80 characters for code, per
http://nginx.org/en/docs/contributing_changes.html, however it seems there
is no way to keep this line short in the config file.

# HG changeset patch
# User Mike MacCana <mike.maccana@gmail.com>
# Date 1438616573 -3600
# Mon Aug 03 16:42:53 2015 +0100
# Node ID 9d055a8eba96c1e49e970770a37f742744db083c
# Parent b544f8e0d9214560a6acddbb0f40db5146e9463d
Update SSL cipher list

diff -r b544f8e0d921 -r 9d055a8eba96 conf/nginx.conf
--- a/conf/nginx.conf Thu Jul 30 16:43:48 2015 -0700
+++ b/conf/nginx.conf Mon Aug 03 16:42:53 2015 +0100
@@ -105,7 +105,7 @@
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;

- # ssl_ciphers HIGH:!aNULL:!MD5;
+ # ssl_ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA
# ssl_prefer_server_ciphers on;

# location / {
diff -r b544f8e0d921 -r 9d055a8eba96 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Thu Jul 30 16:43:48 2015 -0700
+++ b/src/http/modules/ngx_http_ssl_module.c Mon Aug 03 16:42:53 2015 +0100
@@ -13,8 +13,28 @@
typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
ngx_pool_t *pool, ngx_str_t *s);

+#define NGX_DEFAULT_CIPHERS "ECDHE-RSA-AES128-GCM-SHA256\
+:ECDHE-ECDSA-AES128-GCM-SHA256\
+:ECDHE-RSA-AES256-GCM-SHA384\
+:ECDHE-ECDSA-AES256-GCM-SHA384\
+:DHE-RSA-AES128-GCM-SHA256\
+:ECDHE-RSA-AES128-SHA256\
+:DHE-RSA-AES128-SHA256\
+:ECDHE-RSA-AES256-SHA384\
+:DHE-RSA-AES256-SHA384\
+:ECDHE-RSA-AES256-SHA256\
+:DHE-RSA-AES256-SHA256\
+:HIGH\
+:!aNULL\
+:!eNULL\
+:!EXPORT\
+:!DES\
+:!RC4\
+:!MD5\
+:!PSK\
+:!SRP\
+:!CAMELLIA"

-#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
#define NGX_DEFAULT_ECDH_CURVE "prime256v1"

#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"

If this patch is accepted I will also update the documentation accordingly.

SSL Labs handshake test results
Before:
https://archive.is/PfOGL
After:
https://archive.is/JccUh

The changes in the patch above are already widely used by Mozilla Server
Side TLS users, but if further discussion is needed on prioritisation logic
then the following may be helpful:
- https://wiki.mozilla.org/Security/Server_Side_TLS#Prioritization_logic (used
for this patch)
- https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html (used
for cipherli.st)
-
https://github.com/nodejs/node/commit/5755fc099f883293530406c423bda47414834057
(node
doing the same thing recently)

Thanks,

Mike
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel