Gena Makhomed
October 03, 2013 09:30AM
On 03.10.2013 15:36, Sergey Budnevitch wrote:

> nginx itself has no ciphers support, it depend on openssl.
> RHEL/CentOS version of openssl lacks elliptic curve ciphers,
> it is explicitly striped from rpm (https://bugzilla.redhat.com/show_bug.cgi?id=319901),
> and ECDHE is unavailable on RHEL/CentOS with default openssl.
> So either change/rebuild openssl rpm, rebuild nginx with
> statically linked openssl or use another linux distribution.

for rebuild nginx with statically linked openssl, spec changes:

========================================================

....
%define openssl_version 1.0.1e
....
Source0: http://sysoev.ru/nginx/nginx-%{version}.tar.gz
....
Source4: http://www.openssl.org/source/openssl-%{openssl_version}.tar.gz
....
%prep
%setup -q
%setup -q -b4
....
../configure \
....
--with-openssl=../openssl-%{openssl_version} \
--with-openssl-opt="no-threads no-shared no-zlib no-dso no-asm" \
....
#make %{?_smp_mflags}
make
....

========================================================

P.S.

better if nginx rpm spec contain build options -
like "--with-statically-linked-openssl"
for easy change usage statically/dynamically
linked openssl during nginx srpm rebuild.
or even change default to always use
latest openssl for nginx from nginx.org

if nginx build with latest openssl -
Getting forward secrecy enabled is easy, as described in articles:

https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

and

https://community.qualys.com/blogs/securitylabs/2013/09/17/updated-ssltls-deployment-best-practices-deprecate-rc4

for example:

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA
RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4";

ssl_dhparam /etc/tls/dh2048/dh2048.pem;
ssl_session_cache shared:SSL:4M;
ssl_session_timeout 120m;

ssl_stapling on;
resolver 8.8.8.8 8.8.4.4;

with such config test https://www.ssllabs.com/ssltest/
for nginx on CentOS 6 say:

"This server supports Forward Secrecy with modern browsers."

--
Best regards,
Gena

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Getting forward secrecy enabled

Anonymous User October 02, 2013 12:13AM

Re: Getting forward secrecy enabled

mex October 02, 2013 12:52AM

Re: Getting forward secrecy enabled

mex October 02, 2013 01:00AM

Re: Getting forward secrecy enabled

Anonymous User October 02, 2013 01:16AM

Re: Getting forward secrecy enabled

Anonymous User October 02, 2013 01:18AM

Re: Getting forward secrecy enabled

mex October 02, 2013 01:34AM

Re: Getting forward secrecy enabled

Anonymous User October 02, 2013 01:32AM

Re: Getting forward secrecy enabled

mex October 02, 2013 01:46AM

Re: Getting forward secrecy enabled

Anonymous User October 02, 2013 01:57AM

Re: Getting forward secrecy enabled

mex October 02, 2013 02:29AM

Re: Getting forward secrecy enabled

Darren Pilgrim October 02, 2013 04:26AM

Re: Getting forward secrecy enabled

mex October 10, 2013 11:42AM

Re: Getting forward secrecy enabled

Vahan Yerkanian October 02, 2013 07:10AM

Re: Getting forward secrecy enabled

Anonymous User October 03, 2013 02:29AM

Re: Getting forward secrecy enabled

Sergey Budnevitch October 03, 2013 08:38AM

Re: Getting forward secrecy enabled

Sergey Budnevitch October 03, 2013 09:18AM

Re: Getting forward secrecy enabled

Gena Makhomed October 03, 2013 09:30AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 96
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready