The following Nginx SSL configuration gives me PCI compliance as well as protection against BEAST attacks. This configuration also ensures that forward secrecy is applied in the SSL layer. More information on forward secrecy here.
So this is what my typical few lines of SSL configuration would look like in Nginx vhost:
server { listen 443; ssl on; ssl_certificate /etc/nginx/ssl/mycert.crt; ssl_certificate_key /etc/nginx/ssl/mycert.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; . . .
I tried this configuration a while back and the ciphers weren’t available on my Ubuntu/Nginx installation. However, after an upgrade to Ubuntu 14.04 and the awesome Nginx 1.6.0 this works like a charm.
The next step would be to replicate this configuration on an Amazon Elastic Load Balancer. I also had problems doing this about a year ago, but I’m hoping that Amazon ELBs now support all of the above ciphers. If anyone has any experience deploying OpenSSL forward secrecy on AWS ELB please post a comment or send me a message.
This Nginx SSL configuration will ensure that your web server is PCI compliant. There are other checkboxes, quite a few in fact, that you need to tick in order to be fully PCI compliant. This is just a guide, but also a good recommendation on how to securely configure SSL certificates on Nginx web servers.
Security UPDATE: SSlv3 POODLE Vulnerability has just been announced and this article has been updated to patch the vulnerability. ?More information on SSLv3 POODLE can be found here.
Marko