Getting forward secrecy enabled

Sergey Budnevitch sb at nginx.com
Thu Oct 3 12:36:41 UTC 2013


On 2  Oct2013, at 15:08 , Vahan Yerkanian <vahan at helix.am> wrote:

> On Oct 2, 2013, at 9:57 AM, justin <nginx-forum at nginx.us> wrote:
> 
>> I don't compile nginx, I get it from the official CentOS repo:
>> 
>> [nginx]
>> name=nginx repo
>> baseurl=http://nginx.org/packages/centos/6/$basearch/
>> gpgcheck=0
>> enabled=1
>> 
> 
> That's your problem, that version doesn't support ECDHE.

nginx itself has no ciphers support, it depend on openssl.
RHEL/CentOS version of openssl lacks elliptic curve ciphers,
it is explicitly striped from rpm (https://bugzilla.redhat.com/show_bug.cgi?id=319901),
and ECDHE is unavailable on RHEL/CentOS with default openssl.
So either change/rebuild openssl rpm, rebuild nginx with
statically linked openssl or use another linux distribution.

You could list and check available ciphers by:
openssl cipher -v


More information about the nginx mailing list