Getting forward secrecy enabled

Gena Makhomed gmm at csdoc.com
Thu Oct 3 13:29:13 UTC 2013


On 03.10.2013 15:36, Sergey Budnevitch wrote:

> nginx itself has no ciphers support, it depend on openssl.
> RHEL/CentOS version of openssl lacks elliptic curve ciphers,
> it is explicitly striped from rpm (https://bugzilla.redhat.com/show_bug.cgi?id=319901),
> and ECDHE is unavailable on RHEL/CentOS with default openssl.
> So either change/rebuild openssl rpm, rebuild nginx with
> statically linked openssl or use another linux distribution.

for rebuild nginx with statically linked openssl, spec changes:

========================================================

...
%define openssl_version 1.0.1e
...
Source0:    http://sysoev.ru/nginx/nginx-%{version}.tar.gz
...
Source4:    http://www.openssl.org/source/openssl-%{openssl_version}.tar.gz
...
%prep
%setup -q
%setup -q -b4
...
./configure \
...
     --with-openssl=../openssl-%{openssl_version} \
     --with-openssl-opt="no-threads no-shared no-zlib no-dso no-asm" \
...
#make %{?_smp_mflags}
make
...

========================================================

P.S.

better if nginx rpm spec contain build options -
like "--with-statically-linked-openssl"
for easy change usage statically/dynamically
linked openssl during nginx srpm rebuild.
or even change default to always use
latest openssl for nginx from nginx.org

if nginx build with latest openssl -
Getting forward secrecy enabled is easy, as described in articles:

https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

and

https://community.qualys.com/blogs/securitylabs/2013/09/17/updated-ssltls-deployment-best-practices-deprecate-rc4

for example:

     ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
     ssl_prefer_server_ciphers on;
     ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM 
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 
EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA
  RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4";

     ssl_dhparam /etc/tls/dh2048/dh2048.pem;
     ssl_session_cache shared:SSL:4M;
     ssl_session_timeout 120m;

     ssl_stapling on;
     resolver 8.8.8.8 8.8.4.4;

with such config test https://www.ssllabs.com/ssltest/
for nginx on CentOS 6 say:

"This server supports Forward Secrecy with modern browsers."

-- 
Best regards,
  Gena



More information about the nginx mailing list