Preparing Nginx for PCI Compliance
Hello.
Today, our goal is to prepare Nginx for the PCI Compliance. More specifically, SSL protocols and encryption. Well, or just raise the security of our SSL connections and get rid of vulnerabilities.
All you need is to bring a part of the config into this form :)
')
However, add a few details, we consider the points.
If you have the latest versions of nginx, then most likely the default will be "strong" ciphers. But still, we will slightly change the default values:
We do this in order for the ciphers with the CBC mode to be preferred by the RC4-SHA, since they are raised to vulnerabilities.
You can view the full cipher list with the command:
Eliminate the possibility of a BEAST attack CVE-2011-3389 :
We connect the SSL session cache, it will save us from permanent SSL handshake when reconnecting, and add a few points in the final test. The 1 megabyte cache holds about 4000 sessions.
For versions 0.7.64, 0.8.18 and earlier, you should add to disable SSLv2:
In versions 0.7.65, 0.8.19 and later: SSL protocols by default are SSLv3, TLSv1, TLSv1.1 and TLSv1.2, which suits us perfectly.
We go to the test from SSL Labs and get "Grade A" and "PCI Compliance Yes":
www.ssllabs.com/ssltest
Useful links:
Nginx.org Configuring HTTPS Servers
SSL / TLS Deployment Best Practices
SSL Server Rating Guide
UPD:
In connection with the found RC4 vulnerability ( http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html ), thanks to alist , I advise you to update OpenSSL to version 1.0.1, where GCM and TLS 1.2 are supported. So far this is all we can do for our part and wait for action from the browsers.
Today, our goal is to prepare Nginx for the PCI Compliance. More specifically, SSL protocols and encryption. Well, or just raise the security of our SSL connections and get rid of vulnerabilities.
All you need is to bring a part of the config into this form :)
ssl_certificate /etc/nginx/card.pem; ssl_certificate_key /etc/nginx/card.key; ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; ')
However, add a few details, we consider the points.
If you have the latest versions of nginx, then most likely the default will be "strong" ciphers. But still, we will slightly change the default values:
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH; We do this in order for the ciphers with the CBC mode to be preferred by the RC4-SHA, since they are raised to vulnerabilities.
You can view the full cipher list with the command:
openssl ciphers Eliminate the possibility of a BEAST attack CVE-2011-3389 :
ssl_prefer_server_ciphers on; We connect the SSL session cache, it will save us from permanent SSL handshake when reconnecting, and add a few points in the final test. The 1 megabyte cache holds about 4000 sessions.
ssl_session_cache shared:SSL:10m; For versions 0.7.64, 0.8.18 and earlier, you should add to disable SSLv2:
ssl_protocols SSLv3 TLSv1; In versions 0.7.65, 0.8.19 and later: SSL protocols by default are SSLv3, TLSv1, TLSv1.1 and TLSv1.2, which suits us perfectly.
We go to the test from SSL Labs and get "Grade A" and "PCI Compliance Yes":
www.ssllabs.com/ssltest
Useful links:
Nginx.org Configuring HTTPS Servers
SSL / TLS Deployment Best Practices
SSL Server Rating Guide
UPD:
In connection with the found RC4 vulnerability ( http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html ), thanks to alist , I advise you to update OpenSSL to version 1.0.1, where GCM and TLS 1.2 are supported. So far this is all we can do for our part and wait for action from the browsers.
Source: https://habr.com/ru/post/173125/
All Articles