NGINX SSL Ciphers

Posted on Oct 14, 2016

With browsers such as Google Chrome and Mozilla Firefox forcing websites to use better ciphers, along with websites such as PayPal no longer support older versions of TLS it’s time to update your NGINX installations with the latest version of OpenSSL (TLS 1.2+) and set some decent ciphers.

I’m finding the following cipher set are passing tests such as SSL Labs and CryptoReport - this could change in the future.

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA;

Add those to your NGINX configuration files (usually in /etc/nginx/conf.d/ on CentOS), and restart NGINX.

Please be aware at the time of writing this article, the ciphers in the list were passing SSL tests, however as these requirements change and new exploits are released, this may change. I’ll try to update the blog with any such changes.

At the time of writing, the ciphers were secure against the following vulnerabilities:

  • Poodle (TLS)
  • Poodle (SSLv3)
  • FREAK
  • BEAST
  • CRIME