This article gives some examples of improved security settings that may be required by some PCI scans. The involve using a dhparam.pem with an increased key size(ssl_dhparam), restricting the TLS versions used (ssl_protocols) as well as the ciphers used (ssl_ciphers).
By default MDOQ provides a dhparam.pem with key size 4096.
Steps
- Create instance
- Add the following options to Additional SSL Settings within the Nginx component configuration
- `ssl_protocols`: `TLSv1.1 TLSv1.2`
- `ssl_ciphers`: `'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED'`
- `ssl_dhparam`: `/etc/nginx/dhparam.pem`
- Sync Nginx
- Test
- If happy, carry out the same steps on the production instance.