CRE-2025-0044

NGINX Config Uses Insecure TLS CiphersHigh

Impact: 9/10

Mitigation: 1/10

CRE-2025-0044View on GitHub

NginxWeak CiphersSecurityConfigurationTLSKnown IssuePublic

Description

Detects NGINX configuration files that advertise obsolete and cryptographically weak ciphers (RC4-MD5, RC4-SHA, DES-CBC3-SHA). \nThese ciphers are vulnerable to several well-known attacks—including BEAST, BAR-Mitzvah, Lucky-13, and statistical biases in RC4—placing any client–server communication at risk of interception or tampering.\n

Mitigation

- **Remove weak suites** from the `ssl_ciphers` directive (`ssl_ciphers HIGH:!aNULL:!MD5:!RC4:!3DES;`) or adopt a vetted baseline (Mozilla intermediate/modern).\n- **Enable TLS 1.2+** (`ssl_protocols TLSv1.2 TLSv1.3;`).\n- **Prefer forward secrecy**—include only ECDHE/DHE key-exchange suites.\n- **Test the endpoint** with tools such as SSL Labs or `testssl.sh` to verify no weak ciphers remain.\n- **Automate regression checks** within CI by linting rendered NGINX configs (e.g. `grep -E \"(RC4|3DES)\"`) or using OpenSSL to enumerate accepted suites (`openssl ciphers -v '...'`).\n

References

• https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
• https://wiki.mozilla.org/Security/Server_Side_TLS
• https://datatracker.ietf.org/doc/html/rfc7465
• https://datatracker.ietf.org/doc/html/rfc8996
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566