NGINX.COM
Web Server Load Balancing with NGINX Plus

A new OpenSSL vulnerability (CVE-2016-0800), called DROWN, was recently announced. It affects older versions of several widely used server technologies:

  • SSLv2, an old version of the Secure Sockets Layer protocol. Most up‑to‑date websites don’t use Secure Sockets Layer (SSL) at all, having moved to Transport Layer Security (TLS).
  • IIS v7, an older version of Microsoft Internet Information Services
  • NSS 3.13 (Network Security Services), a widely used cryptographic library

The DROWN vulnerability is described on a dedicated website, The DROWN Attack. DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption, and makes vulnerable websites susceptible to man‑in‑the‑middle attacks.

DROWN is unusual in that it does not require a site to actively use SSLv2 or other vulnerable protocols. A site is vulnerable if it supports one of the vulnerable protocols or shares a private key with any other server that allows SSLv2 connections.

Both NGINX Open Source and NGINX Plus support SSLv2, but it is turned off by default in all versions since NGINX 0.8.19 (released in October 2009). Only users who have explicitly turned on SSLv2, or use an NGINX version earlier than 0.8.19, or share a private key with another server that allows SSLv2 connections, are vulnerable to this attack.

Site owners should check whether their website configuration supports SSLv2 and disable it if it does. With NGINX and NGINX Plus, the use of SSL and TLS protocols is controlled by the ssl_protocols configuration directive. In order to enable recent TLS only, and disable SSL v2 and SSL v3, use the following syntax:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Please see the reference documentation on SSL/TLS support with NGINX.

For more information about the DROWN attack and NGINX Open Source, send email to [email protected]. You can also subscribe to the mailing lists.

NGINX Plus users can contact NGINX Support.

Visit the following sites for more information:

If you’re updating your NGINX configuration, or if you’re looking to improve application performance for your secure website, consider upgrading to HTTP/2. You can learn about the benefits in our recent HTTP/2 blog post and HTTP/2 white paper.

Image courtesy The Drown Attack.

Hero image
Are Your Applications Secure?

Learn how to protect your apps with NGINX and NGINX Plus

About The Author

Faisal Memon

Software Engineer

About F5 NGINX

F5, Inc. is the company behind NGINX, the popular open source project. We offer a suite of technologies for developing and delivering modern applications. Together with F5, our combined solution bridges the gap between NetOps and DevOps, with multi-cloud application services that span from code to customer.

Learn more at nginx.com or join the conversation by following @nginx on Twitter.