Forward secrecy in Nginx (CentOS6)

Posted by Anil on Server Fault See other posts from Server Fault or by Anil
Published on 2013-10-24T05:31:15Z Indexed on 2013/10/24 9:58 UTC
Read the original article Hit count: 254

Filed under:
|
|
|

I am trying to enable Forward secrecy in CentOS with nginx webserver.

What I have tried
I have read some tutorials and seems like we should have nginx, openssl latest versions to enable it. So I had installed the openssl latest from source.

sudo wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
sudo tar  -xvzf openssl-1.0.1e.tar.gz
cd openssl-1.0.1e
sudo ./config --prefix=/usr/local
sudo make 
sudo make install

Now OpenSSL supports the Eliptic Curve ciphers(ECDHE). I tested this with openssl s_server also. It worked well.

Next, I replaced Nginx with latest.

sudo wget  http://nginx.org/packages/centos/6/x86_64/RPMS/nginx-1.4.2-1.el6.ngx.x86_64.rpm
sudo rpm -e nginx
sudo rpm -ivh  nginx-1.4.2-1.el6.ngx.x86_64.rpm

and configured Nginx as described in this link

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+RC4:EDH+aRSA:EECDH:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

http://baudehlo.wordpress.com/2013/06/24/setting-up-perfect-forward-secrecy-for-nginx-or-stud/

But now Nginx does not support ECDHE ciphers. It supports DHE ciphers. I tried by just enabling ECDHE cipher in nginx still doesn't work. I am using latest web browser(chrome 29 and it support this cipher)

Am i missing anything ? Or Having issues with CentOS or Nginx? I read somewhere that ECC patent issues with CentOS, is this causing problem?

© Server Fault or respective owner

Related posts about nginx

Related posts about centos6