How To Protect Nginx Server From POODLE Attack Against SSLV3

As we have seen in the one of our post about “What is POODLE Attach and How TLS_FALLBACK_SCSV helps to prevent it“. In this post we will see how we can make Nginx safe from POODLE attack against SSLV3.

SSLV3 is enabled by default in Nginx and Nginx-plus and mostly used by http and mail services. Perform the following steps to make Nginx and Nginx-plus secure:

1. Eliminate or remove SSLV3 from the set of protocol in http{} block. If not present add add the ssl_protocols directory in http{} block.

# in the http{} configuration block
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE (CVE‑2014‑3566)

2. Create or add the same directive in mail{} block

# in the mail{} configuration block
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE (CVE‑2014‑3566)

3. Create or edit the same directive in stream{} block of Nginx or Nginx-plus

# in the stream{} configuration block
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE (CVE‑2014‑3566)

4. Find all other ssl_protocols directive in Nginx configuration. It could be in server{}, mail{} or stream{} blocks. Remove SSLV3 from ssl_protocols directive

# in every server{} block 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;# omit SSLv3 because of POODLE (CVE‑2014‑3566)

5. Run following command to reload the Nginx configurations

# nginx –s reload

How this will help?

This will help the server to not to agree on SSLV3 during a SSL/TLS handshake between client and server. The MiTM (Man in The Middle) will try to downgrade the TLS/SSL version during the handshake but since we have removed SSLV3 from the Nginx configuration, server won’t agree on using SSLV3.