Nginx logo

My public ssl/tls configuration for nginx and I hardened a little: removing a lot of ciphers and LUCKY13 vulnerability.

This configuration is ready to production with latest big requirements.

TLS versions

This month (January 2020) was the end of life for TLS 1.0 and TLS 1.1.

Starting with Chrome 79 on January 13, 2020, the browser will show a “Not Secure” indicator to the left of the address box.

By March, with Chrome 81, connections to websites using the legacy versions will be blocked. There will be a full-screen interstitial warning that notes how the site you’re visiting uses an “outdated security configuration, which may expose your information when it is sent to the site.” - https://9to5google.com/2019/10/01/google-chrome-tls-warning/

LUCKY13?

A new attack for AES-CBC and now, it’s the real end of life for AES-CBC for absolutely all services (ssh included) using AES-CBC, they migrate to full AEAD ciphersuites, such as AES-GCM.

All TLS and DTLS ciphersuites which include CBC-mode encryption are potentially vulnerable - http://www.isg.rhul.ac.uk/tls/Lucky13.html

The configuration

It’s only in Git: https://github.com/sycured/nginx_ssl_config

You can be interested by mutual TLS to harden your internal proxy_pass or other thing that you want be sure to authenticate client at server side.