Disable SSLv3 on Nginx
Why on my server still enabled SSLv3 ? I want to disable for reasons that in some computers can not open my page because of safety issues.
I found this guide:
But currently I've got it set. My server is hosted in Google Cloud, I currently have this Nginx configuration file:
...
ssl on;
ssl_certificate /etc/nginx/dba_certs/dba_ssl2/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/dba_certs/dba_keys/dba.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
...
OpenSSL version is 1.0.1f 6 Jan 2014.
What could be wrong?
To disable SSLv3, you'll have to edit default server configuration, not just an arbitrary virtual host config. It can only be disabled for a listen socket, not just a virtual server. The configuration snippet you've provided suggests that you are using per-server included configuration files, so you'll have to find one with default_server in the appropriate listen directive, and disable SSLv3 there:
server {
listen 443 default_server ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...
}
Or, better yet, edit the configuration at http level, in nginx.conf:
http {
...
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...
}
You may also consider upgrading nginx to a recent version. In nginx 1.9.1+ SSLv3 is disabled by default.
- cURL with SSL certificates fails: error 58 unable to set private key file
- Specifying Arduino WiFiClientSecure Certificates
- maxscale cannot find gtid_binlog_pos
- FreeSWITCH TLS error in 'Client Hello' Request
- ASP.NET Core Development Certificates - error exporting the HTTPS developer certificate
- Get certificate's public key in the PKCS8 format
- Why is Firefox not trusting my self-signed certificate?
- Difference between pem, crt, key files
- Is it a good idea to distribute docker image containing my selfsigned certificate?
- PKIX path building failed: unable to find valid certification path to requested target on chaincode commit on Hyperledger Fabric production network
- OkHTTP (v3.0.0-RC1) Post Request with Parameters
- SSL handshake error (CERTIFICATE_VERIFY_FAILED) in grpc++
- Convert .pem to .crt and .key
- How can I decode a SSL certificate using python?
- How to Create Secure(TLS/SSL) Websocket Server
- The client and server cannot communicate, because they do not possess a common algorithm - ASP.NET C# VB Visual Basic IIS TLS 1.0 / 1.1 / 1.2
- javax.net.ssl.SSLException: Certificate for <> doesn't match any of the subject alternative names: []
- MSSQL with SSL: The target principal name is incorrect
- How can I add a Subject to my email to send via SMTP?
- SSL module in Python is not available (on OSX)
- Spring Boot 3.4 new feature : How to config SSLBundle works with RestClient?
- postgres r2dbc gives ssl error but connects using jpa
- Can Spring Boot's SSLBundle work with certificates without CA (just mutual authenticated, not CA)?
- kex_exchange_identification: Connection closed by remote host
- Is the Apple Push Notification service SSL (Sandbox & Production) certificate universal?
- Nginx reverse proxy to Heroku fails SSL handshake
- Is a Wild Card SSL Certificate recommended?
- Bouncy Castle Configuration for TLS
- cxf webclient call api using TLSV1
- Building Python and OpenSSL from source, but ssl module fails