Question about configuring NGINX for TLSv1.2 TLSv1.3, other security issues
175 views
Skip to first unread message
Stephen Douglas Scotti
unread,
May 11, 2022, 6:09:36 PM5/11/22
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to openresty-en
I have a Docker container running NGINX version: nginx/1.20.2. I did a security scan using a web service and it returns a few flags that I want to fix.
1. nginx is prone to an information disclosure vulnerability.
insight
The default configuration of nginx uses world-readable
permissions for the access.log and error.log files, which allows local users to obtain sensitive
information by reading the files.
Probably not relevant because I am running in Docker container, and I think those files are owned by root on the host in my setup.
SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection
but the scanner still flags Deprecated TLSv1.0 and TLSv1.1 Protocol Detection.
and it also flags:
Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSL/TLS, D(HE)ater)
There are a few more lower priority items flags not so much related to the NGINX config.
Just wondering if those directives need to be in the server blocks, if they are being misread by the scanner, etc. Seems like I should not be getting the warning about TLSv1.0 and TLSv1.1 ?
Thanks.
Junlong li
unread,
May 12, 2022, 8:45:20 AM5/12/22
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to openresty-en
openresty does not support nginx 1.20 core.
are you using nginx or openresty?
I don't know how the web scanner works.
If connect nginx with the specific tls protocol, you can use tcpdump+wireshark to verify if it is a false positive.