Sample nginx.con includes SSLv2, lacks TLSv1.1 and TLSv1.2 protocols
|Reported by:||Jeffrey Walton||Owned by:|
$ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64
$ ./objs/nginx -V
nginx version: nginx/1.4.4
I think there's an opportunity for improvement in the nginx sample configuration file. I understand its just a sample, but the problem is a lot of administrators are not as keen as the developers from the nginx project. That is, they will [blindly] take the config rather than making good choices. Additionally, they might get the configuration wrong when attempting to add missing protocols.
From conf/nginx/conf, around line 108:
# ssl_protocols SSLv2 SSLv3 TLSv1;
SSLv2 is completely broken and has no business being listed in 2013. See, for example, Schneier and Wagner's "Analysis of the SSLv3 Protocol". The source code should probably enforce its never set because its such as vulnerability.
TLSv1.1 and TLSv1.2 should probably be explicitly listed so an administrator does not have to look them up. I expect any number of errors could be made here, including an administrator omitting it because that's the way nginx says to do it; and using TLSv1_1 and TLSv1_2 as the strings for the protocols. (I would have made the latter mistake of specifying TLSv1_2).