SSLv3 and Apache/Nginx

Seeing as there is a minor shitstorm going on about the newly found RC4 and SSLv3 compromise. It has been known that SSLv3 was not secure, but now it seems the time to completely disable it. There are a multitude of ways to disable SSLv3 for Apache and Nginx, but I’ve opted to disable them globally. The configurations below should protect you by disabling SSLv2 and SSLv3, and only allowing the specified strong ciphers.

The configurations below are tested on Ubuntu, but should work on any distro. I used the Qualys SSL Tester to test the results of the configurations below.

Apache2.2

Put the following in /etc/apache2/conf.d/strong-ssl.conf and restart Apache:

SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

Make sure you’re not overwriting the SSLCipherSuite in your VirtualHosts, unless you want to enable other/weaker ciphers for that specific VirtualHost.

Apache2.4

Put the following in /etc/apache2/conf.d/strong-ssl.conf and restart Apache:

SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Make sure you’re not overwriting the SSLCipherSuite in your VirtualHosts, unless you want to enable other/weaker ciphers for that specific VirtualHost.

Nginx

Put the following in /etc/nginx/conf.d/strong-ssl.conf and restart Nginx:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

Check your client vulnerability

Check below if your webbrowser is vulnerable. Your client SHOULD support TLS, but SHOULD NOT support SSLv3.

SSLv3 client support disabled?
TLS client support enabled?