Use modern SSL config for Nginx #1127
Conversation
Based off of h5bp's config: https://github.com/h5bp/server-configs-nginx/blob/611ed7507bc200b81867423f6061fe79b2f606e8/h5bp/ssl/policy_modern.conf Drops TLSv1 and TLSv2.1 and updates the cipher suite. Cipher suite compatibility details: https://cryptcheck.fr/suite/ECDHE+AES:!SHA TLS 1.2 compatibility: https://caniuse.com/#feat=tls1-2 TLS 1.3 compatibility: https://caniuse.com/#feat=tls1-3
| # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx | ||
| ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; | ||
| ssl_prefer_server_ciphers on; | ||
| ssl_protocols TLSv1.2 TLSv1.3; |
| ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; | ||
| ssl_prefer_server_ciphers on; | ||
| ssl_protocols TLSv1.2 TLSv1.3; | ||
| ssl_ciphers EECDH+CHACHA20:EECDH+AES; |
There was a problem hiding this comment.
I need slightly more time to research this.
I usually defer to https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
which is
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
vs
https://cryptcheck.fr/suite/EECDH+CHACHA20:EECDH+AES
I don't really fully understand what I'm looking at.
https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide#cipher-strength
There was a problem hiding this comment.
Ditto, it's confusing. Here's more detail on it h5bp/server-configs-nginx#190 (comment)
There was a problem hiding this comment.
Well it's been 20 days and I haven't made time to research this. I am using mozilla's recommended ciphers in production:
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
Don't let me hold this PR up then.
| @@ -1,9 +1,34 @@ | |||
| # OCSP stapling... | |||
| # ---------------------------------------------------------------------- | |||
| # | Online Certificate Status Protocol stapling | | |||
| @@ -25,7 +21,7 @@ ssl_session_timeout 24h; | |||
| # | |||
| # Note that you'll have to define and rotate the keys securely by yourself. In absence | |||
| # of such infrastructure, consider turning off session tickets: | |||
| #ssl_session_tickets off; | |||
| ssl_session_tickets off; | |||
There was a problem hiding this comment.
Co-Authored-By: Austin Pray <austin@austinpray.com>
|
Doing some testing with these new settings:
|
|
Not sure those WEAK warnings are necessarily bad? (or avoidable) |
|
@swalkinshaw afaik the Mozilla ciphers have the same warnings. If you excluded those the browser support would be unacceptably modern. |
|
@TangRufus are you able to give this a try? |
|
Tested on a remote server. Looks good to me. Question: Are we going to bundle the whole https://github.com/h5bp/server-configs-nginx/tree/28cb47df4227f8b8ae562e3a35e0d663a6593279/h5bp in Trellis? |
|
It would be nice to update them all but that's a much bigger task so I'd rather get the important SSL updates in first. |
|
Should we tag a minor (maybe even major) release and put out a little FYI? This should impact browser support a fair bit. Don't wanna blindside people updating. |
|
Yes I planned to. Unless you mean like asap? I'll do one tonight/tomorrow |
|
Oh no ASAP implied: just meant at some point |
Fixes #1126
Based off of h5bp's config: https://github.com/h5bp/server-configs-nginx/blob/611ed7507bc200b81867423f6061fe79b2f606e8/h5bp/ssl/policy_modern.conf
Drops TLSv1 and TLSv2.1 and updates the cipher suite.
Cipher suite compatibility details: https://cryptcheck.fr/suite/ECDHE+AES:!SHA
TLS 1.2 compatibility: https://caniuse.com/#feat=tls1-2
TLS 1.3 compatibility: https://caniuse.com/#feat=tls1-3
@austinpray