id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 653 Remove SSLv3 from Default ssl_protocols behavior Thomas Ward "As far as I can tell, this affects both Stable and Mainline branches. Effectively, 1.6.x and 1.7.x both should have this applied, in my opinion. Currently, according to the documentation at http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols the SSL module has a default setting of `ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;` if `ssl_protocols` is not defined. Unfortunately, this leaves new site configurations which don't define `ssl_protocols` explicitly vulnerable to POODLE. Ultimately, it is best to remove SSLv3 from the default protocols list. To that end, I went digging in the code. If one were to make the following changes this would effectively remove SSLv3 from the default, if SSLv3 is not specified explicitly via `ssl_protocols`: REPLACE Line 564 of the ngx_http_ssl_module.c file in src/http/modules (http://trac.nginx.org/nginx/browser/nginx/src/http/modules/ngx_http_ssl_module.c#L564) with: ` (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1` Ultimately, you can still enable SSLv3, but it is off by default. I have run tests on this and it appears that it will work correctly to disable the SSLv3-by-default functionality. While it is easier to ship configuration files which disable SSLv3, that does not prevent a user from using modified configurations which don't disable SSLv3 by default, but also don't specify an `ssl_protocols` line. NOTES: `uname -a` is from the Ubuntu Virtual Machine I am using. The `nginx -V` line is from the NGINX Stable PPA which is based off of Debian's packaging of the nginx stable version." enhancement closed minor nginx-module 1.6.x fixed Linux trusty-vm 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.6.2 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.6.2/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.6.2/debian/modules/ngx_http_substitutions_filter_module"