The other day one of our clients received a report with some changes needed for PCI compliance. For the most part, the changes needed were small but they can be tricky to implement so hopefully this post helps.

1. Upgrade to the lastest version of your Linux Distro (Ubuntu 16.04 in our case at this time)

This usually takes care of most of the issues that pop up and will get you a more recent version of nginx.

2. Remove TLS 1.0

Removing TLS 1.0 is straight forward. Make sure you add this to your nginx config file (/etc/nginx/nginx.conf) in the http section.

ssl_protocols TLSv1.1 TLSv1.2;

3. Explicity set the permitted cipher suites to patch the SWEET32 vulnerability

By explicity setting the cipher suites the server can use, you protect your server from downgrade attacks and other exploitations. Add this to your /etc/nginx/nginx.conf file in the http section.

ssl_prefer_server_ciphers On;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;

Conclusion

Obviously restart your server and then you should be good to go. A good way to check that your changes went into affect is by using the SSL Test tool by Qualys labs.