Nginx reverse proxy SSL security issue

Until today the example Nginx reverse proxy config for Etherpad allowed for weaker SSL encryption than is acceptable.

You can see if your instance is vulnerable by checking your instances SSL cert

Check your Nginx config to see if this line exists:

ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

If so replace with:

ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 ECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

Restart Nginx then check your instances SSL cert

We updated the wiki to reflect this change.

Leave a comment

Your email address will not be published. Required fields are marked *