Update your NGINX Config to fix POODLE Vulnerability

I spent quite a while Googling around looking for a good, quick guide to check for and sort the POODLE bug on my client VPS. I found bits and pieces on multiple sites, but no one single post.
Hopefully, this sorts that. This will provide no background into the issue, just how to fix if you run NGINX on Ubuntu. This should also get you to A+ on the SSL Test.

1. Sort out the DHE Key Exchange

$ cd / etc/ssl/certs openssl
$ dhparam -out dhparam.pem 4096

NOTE: If your site passes payments over to First Data for processing, they will not be able to pass you back with anything over 1024. If you process payments via First Data, DO NOT make the Diffe-Hellman changes if you process payments. This may not be limited to First Data. 

2. Add the following block to the http{} section of nginx.conf

#SSL Hardening
 ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_session_cache shared:SSL:10m;
 ssl_prefer_server_ciphers on;
 ssl_dhparam / etc/ssl/certs/dhparam.pem; NOTE: Ignore if using FirstData for payments.
 add_header Strict-Transport-Security max-age=63072000;
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;

3. Run config test and restart NGINX

$ service nginx configtest
 * Testing nginx configuration
 * nginx  [OK]
 $ service nginx restart

4. Quick Test!
Go to the following sites to run a quick check to see if you have sorted it.
https://www.tinfoilsecurity.com/poodle
https://www.poodlescan.com/

5. Run the Qualys SSL Server Test
Make sure you check Do not show the results on the boards.
https://www.ssllabs.com/ssltest/
If you’re A+, you’re all good (for now).

Sources:

Leave a Reply