{"id":173,"date":"2020-01-26T05:53:00","date_gmt":"2020-01-26T10:53:00","guid":{"rendered":"http:\/\/127.0.0.1:8080\/?p=173"},"modified":"2024-01-13T14:21:46","modified_gmt":"2024-01-13T19:21:46","slug":"nginx-tls-without-lucky13","status":"publish","type":"post","link":"http:\/\/10.42.0.68:8080\/blog\/nginx-tls-without-lucky13","title":{"rendered":"Nginx: TLS without LUCKY13"},"content":{"rendered":"\n
My public SSL\/TLS configuration for Nginx and I hardened a little: removing a lot of ciphers and LUCKY13 vulnerability.<\/p>\n\n\n\n
This configuration is ready for production with the latest big requirements.<\/p>\n\n\n\n\n\n\n\n
This month (January 2020) was the end of life for TLS 1.0 and TLS 1.1.<\/p>\n\n\n\n
\nStarting with Chrome 79 on January 13, 2020, the browser will show a \u201cNot Secure\u201d indicator to the left of the address box.<\/p>\n\n\n\n
By March, with Chrome 81, connections to websites using the legacy versions will be blocked. There will be a full-screen interstitial warning that notes how the site you\u2019re visiting uses an \u201coutdated security configuration, which may expose your information when it is sent to the site.\u201d – https:\/\/9to5google.com\/2019\/10\/01\/google-chrome-tls-warning\/<\/a><\/p>\n<\/blockquote>\n\n\n\n
LUCKY13?<\/h3>\n\n\n\n
A new attack for AES-CBC and now, it’s the real end of life for AES-CBC for absolutely all services (SSH included<\/strong>) using AES-CBC, they migrate to full AEAD cipher suites, such as AES-GCM.<\/p>\n\n\n\n
\nAll TLS and DTLS cipher suites which include CBC-mode encryption are potentially vulnerable – http:\/\/www.isg.rhul.ac.uk\/tls\/Lucky13.html<\/a><\/p>\n<\/blockquote>\n\n\n\n
The configuration<\/h3>\n\n\n\n
It’s only in Git: https:\/\/github.com\/sycured\/nginx_ssl_config<\/a><\/p>\n\n\n\n