Getting forward secrecy enabled

Sergey Budnevitch sb at nginx.com
Thu Oct 3 13:17:13 UTC 2013


On 3  Oct2013, at 16:36 , Sergey Budnevitch <sb at nginx.com> wrote:

> 
> On 2  Oct2013, at 15:08 , Vahan Yerkanian <vahan at helix.am> wrote:
> 
>> On Oct 2, 2013, at 9:57 AM, justin <nginx-forum at nginx.us> wrote:
>> 
>>> I don't compile nginx, I get it from the official CentOS repo:
>>> 
>>> [nginx]
>>> name=nginx repo
>>> baseurl=http://nginx.org/packages/centos/6/$basearch/
>>> gpgcheck=0
>>> enabled=1
>>> 
>> 
>> That's your problem, that version doesn't support ECDHE.
> 
> nginx itself has no ciphers support, it depend on openssl.
> RHEL/CentOS version of openssl lacks elliptic curve ciphers,
> it is explicitly striped from rpm (https://bugzilla.redhat.com/show_bug.cgi?id=319901),
> and ECDHE is unavailable on RHEL/CentOS with default openssl.
> So either change/rebuild openssl rpm,

It is neccesary to rebuild nginx too, openssl replacement along is not sufficient.

> rebuild nginx with
> statically linked openssl or use another linux distribution.
> 
> You could list and check available ciphers by:
> openssl cipher -v

BTW, DHE also provides forward secrecy, but it is slow.



More information about the nginx mailing list