nginx can't disable SSLv3

Question

I'm having an issue trying to disable SSLv3 on my nginx installation.

HTTPS works fine, but I just can't seem to disable SSLv3 and it makes my site vulnerable to the POODLE attack. Also, for some reason the connection is encrypted over 128-bit instead of 256-bit even though I got a 256-bit certificate.

Nginx version: 1.6.2

Here's what I entered into my server block on the site I wanted to use:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers On;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

Thanks!

Answer 1

1. Disabling SSLv3

The only line you need to use to make nginx stop using is you first one, ie

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

If you still see nginx using SSLv3, then your new configuration has most probably not been applied.

Use nginx -t to test your configuration, then reload the service by using:

service nginx reload

or send a SIGHUP signal to the nginx master process.

To check that no error happened and that the configuration reload happened flawlessly, monitor your main error_log (the one defined at the highest level, typically main) closely. Errors will pop-up there if something is wrong (ie due to SSL certificates or anything not detectable at configuration validation time)

2. Ciphers

Ciphers have nothing to do with your key size. They are negociated between client and server to choose common supported cipher suites in order to execute the 4 parts of the SSL protocol where digests/hashes/signatures are needed.

Different qualities of different cipher suites suits better to certain steps than to others.

More information about cipher suites is available @Wikipedia.