Tips / Nginx

How to protect Nginx against SSLv3 POODLE vulnerability

A few days ago we all got a report from a new vulnerability in the SSL v3 protocol, it was originally announced by members of Google security team. Basically the news are this: the SSL v3 protocol can be exploited by a man-in-the-middle to extract data that was encrypted by HTTPS and the only way to be fully protected against this issue is to remove the SSLv3 support from your webserver configuration. If you want to fully review the vulnerability in detail, it can be done from here.


How to Disable SSLv3 in Nginx?

Find the ssl_protocols variable in your Nginx configuration, example:

grep ssl_protocols /etc/nginx/ -R

Replace /etc/nginx with your Nginx installation path.

Examples of SSLv3 found on the Nginx configuration:

[]grep ssl_protocols /etc/nginx/ -R
/etc/nginx/nginx.conf:    #    ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;

Remove SSLv3 from that line so it can match the following:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 

Restart Nginx to apply changes

service nginx reload

Doing this will help you to avoid the SSLv3 POODLE vulnerability and keep your SSL website protected.


Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking