"A" Grade SSL/TLS with Nginx and StartSSL

Julien Vehent julien at linuxwall.info
Tue Oct 15 13:27:17 UTC 2013


On 2013-10-15 00:39, Piotr Sikora wrote:
> Hi Julien,
>
>> I spent some time hacking on my SSL conf recently. Nothing new, but I
>> figured I'd share it with the group:
>> 
>> https://jve.linuxwall.info/blog/index.php?post/2013/10/12/A-grade-SSL/TLS-with-Nginx-and-StartSSL
>>
>> Feel free to comment here.
>
>> a few pointers for configuring state-of-the-art TLS on Nginx.
>
> Far from it, from the top:
>
>> build_static_nginx.sh
>
> You should be using:
>
>     --with-openssl=../openssl-1.0.1e
>     --with-openssl-opt="enable-ec_nistp_64_gcc_128"
>
> instead of compiling OpenSSL yourself and playing with CFLAGS & LDFLAGS.
>

Afaik, the above dynamically links openssl. Am I wrong?

>>    listen 443;
>>    ssl on;
>
> That's deprecated syntax, you should be using:
>
>     listen 443 ssl;
>

noted, but that doesn't impact security

>> ssl_dhparam /path/to/dhparam.pem;
>
> While there is nothing wrong with it per se, DH params are only used
> by DHE, which is simply too slow to be used.
>

Are you saying you would rather use non-PFS ciphers than wait an extra 15ms 
to complete a DHE handshake? I wouldn't.

>> ssl_session_timeout 5m;
>
> Not only doesn't it change anything (5m is the default value), but
> it's way too low value to be used.
>
> Few examples from the real world:
>
>     Google    : 28h
>     Facebook  : 24h
>     CloudFlare: 18h
>     Twitter   :  4h
>

Interesting information, which I didn't have before. May I ask how you 
collected it?

>> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>
> SSLv3 is still out there, so you shouldn't be dropping support for it
> unless you know the consequences very well... This definitely
> shouldn't be a general recommendation.
>
>> ssl_ciphers 
>> 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
>
> Why would you put ECDSA cipher suites here when you're using RSA 
> certificate?
>

Because someone else might use DSA certificates.

> You should also disable:
> - DHE cipher suites, because they're too slow compared to the alternative,

No. The alternatives aren't available everywhere.

> - CAMELLIA cipher suites (if you're using AES-NI), because they're too
> slow compared to the alternative.

Again, I don't control clients. I push down unwanted ciphers, but I won't 
disable them unless they are obviously broken (MD5, ...).

>
> Overall, that's far from the state-of-the-art SSL configuration for
> nginx. The only good thing about it is that it's using OCSP and
> achieves "A" grade on ssllabs.com, which can tell you a lot about the
> quality of the tests they're running.
>

I appreciate the feedback, but no need to be rude about it ;)

- Julien



More information about the nginx mailing list