Forward secrecy in Nginx (CentOS6)
Posted
by
Anil
on Server Fault
See other posts from Server Fault
or by Anil
Published on 2013-10-24T05:31:15Z
Indexed on
2013/10/24
9:58 UTC
Read the original article
Hit count: 254
I am trying to enable Forward secrecy in CentOS with nginx webserver.
What I have tried
I have read some tutorials and seems like we should have nginx, openssl latest versions to enable it. So I had installed the openssl latest from source.
sudo wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
sudo tar -xvzf openssl-1.0.1e.tar.gz
cd openssl-1.0.1e
sudo ./config --prefix=/usr/local
sudo make
sudo make install
Now OpenSSL supports the Eliptic Curve ciphers(ECDHE). I tested this with openssl s_server also. It worked well.
Next, I replaced Nginx with latest.
sudo wget http://nginx.org/packages/centos/6/x86_64/RPMS/nginx-1.4.2-1.el6.ngx.x86_64.rpm
sudo rpm -e nginx
sudo rpm -ivh nginx-1.4.2-1.el6.ngx.x86_64.rpm
and configured Nginx as described in this link
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+RC4:EDH+aRSA:EECDH:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
http://baudehlo.wordpress.com/2013/06/24/setting-up-perfect-forward-secrecy-for-nginx-or-stud/
But now Nginx does not support ECDHE ciphers. It supports DHE ciphers. I tried by just enabling ECDHE cipher in nginx still doesn't work. I am using latest web browser(chrome 29 and it support this cipher)
Am i missing anything ? Or Having issues with CentOS or Nginx? I read somewhere that ECC patent issues with CentOS, is this causing problem?
© Server Fault or respective owner