Just a quick post as I noticed that my nginx configuration was vulnerable to the BEAST attack thanks to the #spiffy SSL Certificate Tester from Qualys (I scored an “A”, btw :-).
The nginx docs show how to do this, now, and it’s pretty simple (very similar to the Apache configuration, in fact):
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
Set it to prefer RC4 ciphers and — BOOM! — you’re done.
Like many other system admins, I should have done this a long time ago. And, like many other system admins, I’ve got many other things going on. I let this slip (even though I’ve kept up on nginx patches) and I shouldn’t have. Thankfully, this was a low risk item as the site doesn’t perform truly critical transactions.
I definitely encourage folks to use the SSL Labs tool to help ensure you’ve got your site’s configuration up to snuff.
Also, make sure to follow @ivanristic on Twitter if you care at all about web app security.
2 Comments
RC4 is insecure, do that is not reliable anymore.
This is bad advice now – RC4 is considered insecure.
One Trackback/Pingback
[…] this week, I mentioned the most excellent Qualys SSL Certificate Tester and thought it would be interesting to try it on […]