NGINX.COM
Web Server Load Balancing with NGINX Plus

A new OpenSSL vulnerability (CVE-2016-0800), called DROWN, was recently announced. It affects older versions of several widely used server technologies:

  • SSLv2, an old version of the Secure Sockets Layer protocol. Most up‑to‑date websites don’t use Secure Sockets Layer (SSL) at all, having moved to Transport Layer Security (TLS).
  • IIS v7, an older version of Microsoft Internet Information Services
  • NSS 3.13 (Network Security Services), a widely used cryptographic library

The DROWN vulnerability is described on a dedicated website, The DROWN Attack. DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption, and makes vulnerable websites susceptible to man‑in‑the‑middle attacks.

DROWN is unusual in that it does not require a site to actively use SSLv2 or other vulnerable protocols. A site is vulnerable if it supports one of the vulnerable protocols or shares a private key with any other server that allows SSLv2 connections.

Both NGINX Open Source and NGINX Plus support SSLv2, but it is turned off by default in all versions since NGINX 0.8.19 (released in October 2009). Only users who have explicitly turned on SSLv2, or use an NGINX version earlier than 0.8.19, or share a private key with another server that allows SSLv2 connections, are vulnerable to this attack.

Site owners should check whether their website configuration supports SSLv2 and disable it if it does. With NGINX and NGINX Plus, the use of SSL and TLS protocols is controlled by the ssl_protocols configuration directive. In order to enable recent TLS only, and disable SSL v2 and SSL v3, use the following syntax:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Please see the reference documentation on SSL/TLS support with NGINX.

For more information about the DROWN attack and NGINX Open Source, send email to nginx@nginx.org. You can also subscribe to the mailing lists.

NGINX Plus users can contact NGINX Support.

Visit the following sites for more information:

If you’re updating your NGINX configuration, or if you’re looking to improve application performance for your secure website, consider upgrading to HTTP/2. You can learn about the benefits in our recent HTTP/2 blog post and HTTP/2 white paper.

Image courtesy The Drown Attack.

Hero image
Are Your Applications Secure?

Learn how to protect your apps with NGINX and NGINX Plus

关于作者

Faisal Memon

软件工程师

关于 F5 NGINX

F5, Inc. 是备受欢迎的开源软件 NGINX 背后的商业公司。我们为现代应用的开发和交付提供一整套技术。我们的联合解决方案弥合了 NetOps 和 DevOps 之间的横沟,提供从代码到用户的多云应用服务。访问 nginx-cn.net 了解更多相关信息。