Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Currently the default Nginx configuration enables SSLv3 and RC4. Presumably RC4 support was added a while back to mitigate the BEAST attack. However, these days there are much better configurations possible. SSLv3 is also widely deprecated due to the POODLE attack.
Comment | File | Size | Author |
---|---|---|---|
#1 | 0001-Issue-2457359-Nginx-remove-SSLv3-and-RC4-support-pro.patch | 3.23 KB | bgm |
Comments
Comment #1
bgm CreditAttribution: bgm commentedHere's a patch.
It's based on what we use:
https://github.com/coopsymbiotic/provision_symbiotic/blob/master/tpl/cus...
And was based on forked duraconf by ouaibe:
https://github.com/ouaibe/duraconf/blob/master/configs/nginx/nginx.HIGH_...
Note that, as the name implies, this is the "highly, yet pretty secure, compatible set of ciphers", so that it supports IE7+/winXP.
Comment #4
helmo CreditAttribution: helmo at Initfour websolutions commentedThanks for reporting.
A slightly different fix was already being prepared together with the security team. See the commits above.
A new release should be out later today.