Table of Contents

Transport Layer Security

This page will document some sane settings for modern TLS security in nginx. I'm not particularly interested in backwards compatibility for this environment so I won't be spending much time on supporting broken browsers or operating systems which should be deprecated. I realize this can be frustrating for some people, but given the revelations of the past couple of years regarding the use of insecure crypto you're probably better of just ignoring crypto completely than trying to implement questionable systems.

Basic nginx configuration

  # SSL configuration
  listen 443 ssl spdy default_server;
  ssl_certificate /etc/ssl/localcerts/mycert.chained.crt;
  ssl_certificate_key /etc/ssl/localcerts/mycert.key;
  # OCSP stapling support
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/ssl/localcerts/ocsp-chain.crt;
  # HTTP Strict Transport Security header
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
  # enables all versions of TLS, but not SSLv2 or 3 which are weak and now
  # deprecated or TLSv1 which has its own problems
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  # disables all weak ciphers and prefers AESGCM but fall back to other
  # elliptic curve ciphers if necessary
  ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!eNULL:!EXPORT:!MEDIUM:!LOW:!DES:!MD5:!SHA1:!PSK:!RC4";

TLS/SSL tips and tricks

TLS/SSL Server Test: https://www.ssllabs.com/ssltest/index.html

# test OCSP configuration
 echo QUIT | openssl s_client -connect quay.net:443 -status 2> /dev/null | \
 grep -A 17 'OCSP response:' | grep -B 17 'Next Update'