Getting forward secrecy enabled
Gena Makhomed
gmm at csdoc.com
Thu Oct 3 13:29:13 UTC 2013
On 03.10.2013 15:36, Sergey Budnevitch wrote:
> nginx itself has no ciphers support, it depend on openssl.
> RHEL/CentOS version of openssl lacks elliptic curve ciphers,
> it is explicitly striped from rpm (https://bugzilla.redhat.com/show_bug.cgi?id=319901),
> and ECDHE is unavailable on RHEL/CentOS with default openssl.
> So either change/rebuild openssl rpm, rebuild nginx with
> statically linked openssl or use another linux distribution.
for rebuild nginx with statically linked openssl, spec changes:
========================================================
...
%define openssl_version 1.0.1e
...
Source0: http://sysoev.ru/nginx/nginx-%{version}.tar.gz
...
Source4: http://www.openssl.org/source/openssl-%{openssl_version}.tar.gz
...
%prep
%setup -q
%setup -q -b4
...
./configure \
...
--with-openssl=../openssl-%{openssl_version} \
--with-openssl-opt="no-threads no-shared no-zlib no-dso no-asm" \
...
#make %{?_smp_mflags}
make
...
========================================================
P.S.
better if nginx rpm spec contain build options -
like "--with-statically-linked-openssl"
for easy change usage statically/dynamically
linked openssl during nginx srpm rebuild.
or even change default to always use
latest openssl for nginx from nginx.org
if nginx build with latest openssl -
Getting forward secrecy enabled is easy, as described in articles:
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
and
https://community.qualys.com/blogs/securitylabs/2013/09/17/updated-ssltls-deployment-best-practices-deprecate-rc4
for example:
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA
RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4";
ssl_dhparam /etc/tls/dh2048/dh2048.pem;
ssl_session_cache shared:SSL:4M;
ssl_session_timeout 120m;
ssl_stapling on;
resolver 8.8.8.8 8.8.4.4;
with such config test https://www.ssllabs.com/ssltest/
for nginx on CentOS 6 say:
"This server supports Forward Secrecy with modern browsers."
--
Best regards,
Gena
More information about the nginx
mailing list