CRE-2025-0044

NGINX Config Uses Insecure TLS CiphersHigh

Impact: 9/10

Mitigation: 1/10

CRE-2025-0044View on GitHub

NginxWeak CiphersSecurityConfigurationTLSKnown IssuePublic

Description

Detects NGINX configuration files that advertise obsolete and cryptographically weak ciphers (RC4-MD5, RC4-SHA, DES-CBC3-SHA). These ciphers are vulnerable to several well-known attacks—including BEAST, BAR-Mitzvah, Lucky-13, and statistical biases in RC4—placing any client–server communication at risk of interception or tampering.

Mitigation

- **Remove weak suites** from the `ssl_ciphers` directive (`ssl_ciphers HIGH:!aNULL:!MD5:!RC4:!3DES;`) or adopt a vetted baseline (Mozilla intermediate/modern). - **Enable TLS 1.2+** (`ssl_protocols TLSv1.2 TLSv1.3;`). - **Prefer forward secrecy**—include only ECDHE/DHE key-exchange suites. - **Test the endpoint** with tools such as SSL Labs or `testssl.sh` to verify no weak ciphers remain. - **Automate regression checks** within CI by linting rendered NGINX configs (e.g. `grep -E "(RC4|3DES)"`) or using OpenSSL to enumerate accepted suites (`openssl ciphers -v '...'`).

References

• https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
• https://wiki.mozilla.org/Security/Server_Side_TLS
• https://datatracker.ietf.org/doc/html/rfc7465
• https://datatracker.ietf.org/doc/html/rfc8996
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566