Nginx: TLS without LUCKY13
My public SSL/TLS configuration for Nginx and I hardened a little: removing a lot of ciphers and LUCKY13 vulnerability.
This configuration is ready for production with the latest big requirements.
TLS versions
This month (January 2020) was the end of life for TLS 1.0 and TLS 1.1.
Starting with Chrome 79 on January 13, 2020, the browser will show a “Not Secure” indicator to the left of the address box.
By March, with Chrome 81, connections to websites using the legacy versions will be blocked. There will be a full-screen interstitial warning that notes how the site you’re visiting uses an “outdated security configuration, which may expose your information when it is sent to the site.” - https://9to5google.com/2019/10/01/google-chrome-tls-warning/
LUCKY13?
A new attack for AES-CBC and now, it’s the real end of life for AES-CBC for absolutely all services (ssh included) using AES-CBC, they migrate to full AEAD cipher suites, such as AES-GCM.
All TLS and DTLS cipher suites which include CBC-mode encryption are potentially vulnerable - http://www.isg.rhul.ac.uk/tls/Lucky13.html
The configuration
It’s only in Git: https://github.com/sycured/nginx_ssl_config
You can be interested in mutual TLS to harden your internal proxy_pass or other things that you want to be sure to authenticate the client at the server-side.