SSL – PCI compliance and performance optimization

SSL is must. PCI compliance is required to accept/store credit card information on your server.

Most small websites (including this), technically doesn’t accept/store customer credit themselves. They simply redirect a customer to PayPal or another payment gateway page.

SSL Cache:

First and most important option is to enable SSL cache.

Put following lines in /etc/nginx/nginx.conf

ssl_session_cache   shared:SSL:20m;
ssl_session_timeout 10m;

20m is size of nginx cache. You can adjust it as per your needs.

10m is duration for ssl session timeout. If a user does not send another request before timeout, SSL cache for their session will be cleared.

Just reload nginx for SSL session cache to take effect.

Performance Optimization

Nginx’s default set of ciphers includes:

ssl_ciphers HIGH:!aNULL:!MD5;

This enables strong Diffie–Hellman_key_exchange algorithm which is slow. Since PCI compliance doesn’t need this algorithm, we can safely disable it by explicitly defining ssl_ciphers.

ssl_ciphers HIGH:!aNULL:!MD5:!kEDH;

You can check more about ssl_ciphers format here.

SSL Security

Next, lets disable BEAST attack by forcing browsers to use ciphers listed on server side:

ssl_prefer_server_ciphers on;

Test

Test your SSL setup with SSL Lab.

You may see a complain about “Forward Secrecy”. We let it remain to avoid better speed-up without compromising PCI-DSS compliance.