Protip: Disable SSL 3.0 on nginx

October 19, 2014

Another day, another something-bleed bug related to secure browsing discovered. There’s a new vulnerability (“Poodlebleed”) affecting the SSL protocol which could allow for unauthorized snooping and MITM (man-in-the-middle) attacks on users of services which use SSL 3.0.

If you serve over SSL, you should make sure you’re not using 3.0. In current versions of nginx, SSL 3.0 is the default, but that can easily be changed by putting this line in your nginx.conf’s http block:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

You should also make sure that any other instances of the ssl_protocols directive match this, if they exist.

There’s also a handy tool to check if your server is vulnerable. It it isn’t you’ll get happy green output like this:

If for some unholy reason you find yourself using Apache, apparently this guide is helpful.