nginx SSL configuration

[GrahamM]

Just a quick note on nginx SSL configuration. I happen to be running mailserv on OpenBSD 5.1, and I wanted to see how my SSL web server configuration looked. I know from past experience that SSL is a notoriously tricky thing to get right - having been burnt by default configurations before. Qualys SSL Labs (I have no connection) provide a handy SSL server tester (www.ssllabs.com/ssltext/index.html) that provides some information about the SSL configuration.

I was somewhat surprised to discover that the mailserv configuration permitted the use of anonymous elliptic curve Diffie–Hellman (ECDH), which I understand makes it easier for someone to attempt to perform a man-in-the-middle attack against SSL. 

The fix for this seems to be pretty simple. The ssl_ciphers line in /etc/nginx.conf needs to be updated to include !aNULL so that the complete line becomes:

  ssl_ciphers HIGH:!aNULL:!ADH:!MD5;

It would be good if this could be included in install/templates/nginx.conf by default.

[GrahamM]

I should have added the RC4 to help mitigate attacks from BEAST... Serves me right for not watching closely enough. With this change in place, the SSL configuration for nginx should be:

ssl_ciphers RC4:HIGH:!aNULL:!ADH:!MD5;

This should help to protect against BEAST as well as man in the middle anon ECDH attacks.

[Marcus Bointon]

Good catch, FWIW I've pulled that into my devel repo (which is still broken while I try to get chrooted nginx to work!)

Marcus