6:00 AM
Paul B
I'm always looking for ways to improve my encryption settings on my personal email server. I'm constantly checking SSL Labs to see how my configuration stacks up. For a little while now they have been complaining that I use weak CBC ciphers still in TLS 1.2. However, since they have continued to give me an A+ rating I didn't really care until today.
I decided to fix it by disabling those ciphers, and it's actually pretty easy. The answer on how to do it comes from user imgx64 on Stack Exchange in this thread where he says all you have to do is add a couple of extra items near the end of your ssl_ciphers portion of your ssl.tmpl config file in Nginx:
You can use !SHA1:!SHA256:!SHA384 to disable all CBC mode ciphers. There are some non-CBC false positives that will also be disabled (RC4, NULL), but you probably also want to disable them anyway.
Note that while GCM and CHACHA20 ciphers have SHA* in their name, they're not disabled because they use their own MAC algorithm. The SHA* in their name is for the PRF, not the MACI changed my ssl_ciphers string from:
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!DSS:!aNULL;
To:
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL;
After I made that change and restarted the Nginx service my SSL Labs report went from this:
To:
Simple right? Did this help you out? Let us know in the comments!
