Welcome! Log In Create A New Profile

Advanced

Re: Getting forward secrecy enabled

Sergey Budnevitch
October 03, 2013 09:18AM
On 3 Oct2013, at 16:36 , Sergey Budnevitch <sb@nginx.com> wrote:

>
> On 2 Oct2013, at 15:08 , Vahan Yerkanian <vahan@helix.am> wrote:
>
>> On Oct 2, 2013, at 9:57 AM, justin <nginx-forum@nginx.us> wrote:
>>
>>> I don't compile nginx, I get it from the official CentOS repo:
>>>
>>> [nginx]
>>> name=nginx repo
>>> baseurl=http://nginx.org/packages/centos/6/$basearch/
>>> gpgcheck=0
>>> enabled=1
>>>
>>
>> That's your problem, that version doesn't support ECDHE.
>
> nginx itself has no ciphers support, it depend on openssl.
> RHEL/CentOS version of openssl lacks elliptic curve ciphers,
> it is explicitly striped from rpm (https://bugzilla.redhat.com/show_bug.cgi?id=319901),
> and ECDHE is unavailable on RHEL/CentOS with default openssl.
> So either change/rebuild openssl rpm,

It is neccesary to rebuild nginx too, openssl replacement along is not sufficient.

> rebuild nginx with
> statically linked openssl or use another linux distribution.
>
> You could list and check available ciphers by:
> openssl cipher -v

BTW, DHE also provides forward secrecy, but it is slow.

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Getting forward secrecy enabled

Anonymous User October 02, 2013 12:13AM

Re: Getting forward secrecy enabled

mex October 02, 2013 12:52AM

Re: Getting forward secrecy enabled

mex October 02, 2013 01:00AM

Re: Getting forward secrecy enabled

Anonymous User October 02, 2013 01:16AM

Re: Getting forward secrecy enabled

Anonymous User October 02, 2013 01:18AM

Re: Getting forward secrecy enabled

mex October 02, 2013 01:34AM

Re: Getting forward secrecy enabled

Anonymous User October 02, 2013 01:32AM

Re: Getting forward secrecy enabled

mex October 02, 2013 01:46AM

Re: Getting forward secrecy enabled

Anonymous User October 02, 2013 01:57AM

Re: Getting forward secrecy enabled

mex October 02, 2013 02:29AM

Re: Getting forward secrecy enabled

Darren Pilgrim October 02, 2013 04:26AM

Re: Getting forward secrecy enabled

mex October 10, 2013 11:42AM

Re: Getting forward secrecy enabled

Vahan Yerkanian October 02, 2013 07:10AM

Re: Getting forward secrecy enabled

Anonymous User October 03, 2013 02:29AM

Re: Getting forward secrecy enabled

Sergey Budnevitch October 03, 2013 08:38AM

Re: Getting forward secrecy enabled

Sergey Budnevitch October 03, 2013 09:18AM

Re: Getting forward secrecy enabled

Gena Makhomed October 03, 2013 09:30AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 68
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 254 on July 05, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready