I am trying to enable Forward secrecy in CentOS with nginx webserver.
What I have tried
I have read some tutorials and seems like we should have nginx, openssl latest versions to enable it. So I had installed the openssl latest from source.
sudo wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
sudo tar -xvzf openssl-1.0.1e.tar.gz
cd openssl-1.0.1e
sudo ./config --prefix=/usr/local
sudo make
sudo make install
Now OpenSSL supports the Eliptic Curve ciphers(ECDHE). I tested this with openssl s_server also. It worked well.
Next, I replaced Nginx with latest.
sudo wget http://nginx.org/packages/centos/6/x86_64/RPMS/nginx-1.4.2-1.el6.ngx.x86_64.rpm
sudo rpm -e nginx
sudo rpm -ivh nginx-1.4.2-1.el6.ngx.x86_64.rpm
and configured Nginx as described in this link
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+RC4:EDH+aRSA:EECDH:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
http://baudehlo.wordpress.com/2013/06/24/setting-up-perfect-forward-secrecy-for-nginx-or-stud/
But now Nginx does not support ECDHE ciphers. It supports DHE ciphers. I tried by just enabling ECDHE cipher in nginx still doesn't work. I am using latest web browser(chrome 29 and it support this cipher)
Am i missing anything ? Or Having issues with CentOS or Nginx? I read somewhere that ECC patent issues with CentOS, is this causing problem?
Best Answer
You are right that ECC in RedHat's (and therefore in CentOS's)
openssl
is disabled, due to patent concerns; see (eg) this bugzilla entry for more details. Note how any time anyone opens a new tracker to compain, it's closed as a duplicate of this one, so don't be fooled by the age of the tracker into thinking that it's a lapsed problem (side note: although most of that bugzilla is bad news, I did like RH's comment 'Please note: "Ubuntu does it" is never a viable legal argument.').You have correctly divined that getting round that will mean compiling your own
openssl
, which is good. But having done so, you can't simply install packaged binaries and expect them to magically pick up your new libraries, because they won't.You'll need to recompile openssl, with eg
--prefix=/usr/local/openssl-custom
, thenmake install
it to that new location, then compilenginx
from source taking care to tell it to compile and link against the new libraries (I can't give you a standard incantation for that, because it varies from package to package, but-with-ssl=/usr/local/openssl-custom
can sometimes be the right thing).If you need any other tools to work with
nginx
, and any of those haveopenssl
dependencies (and these days, what doesn't?), you will likely need to compile those, also.Please let me end by discouraging you from this. It's a lot of work; the compilation is the least of it, you then have to stay on top of all new releases of the packages you're built, and rebuild them whenever they change. I don't know why you've decided you need Forward Secrecy, but I strongly suspect that you will cause yourself more security issues by packages getting out-of-patch than you will ever fix by enabling it.
Note also comments 43 and 90 in the bugzilla entry linked above; if by Forward Secrecy, you mean Perfect Forward Secrecy (PFS), then enabling PFS does not seem to require having ECC. Or just wait, since it looks like we're getting ECC as of RHEL6.5 (C6.5).