search by tags

for the user

adventures into the land of the command line

perfect forward secrecy with nginx - (ecdhe-rsa)

ECDHE-RSA, or elliptic curve diffie-hellman ephemeral cryptography prevents a type of attack where a man in the middle has been intercepting traffic for months or years back and also subsequently broken the private key of the same https webserver. they are then able to go back and decrypt all the traffic that has been intercepted in the past including passwords and other sensitive information.

there’s an excellent write up of how it works and how it differs to TLS here, so i wont try to explain the theory behind it myself, i’ll just show you how to enable your nginx webserver

first navigate to /etc/ssl/, and generate all the required files, starting with the private key

$ cd /etc/ssl
$ openssl genrsa -des3 -out myapp.key 1024

remove the passphrase on the key

$ cp myapp.key myapp.key.bak
$ openssl rsa -in myapp.key.bak -out myapp.key

create a certificate signing request

$ openssl req -new -key myapp.key -out myapp.csr

self sign the key if you want to try it out yourself (the browser will tell you the server is untrusted when you navigate there)

$ openssl x509 -req -days 365 -in myapp.csr -signkey myapp.key -out myapp.crt

you’ll want to purchase an actual certificate for a real scenario though and put the .crt file in /etc/ssl/

generate a pfs pem file, 2048 bits is important, as 1024 bits has already been broken

$ openssl dhparam -out myapp.pem 2048

in your server config, add all the lines related to ssl below

$ sudo vim /etc/nginx/conf.d/myapp.conf

server {
    listen                      443;
    server_name                 127.0.0.1;
    access_log  /var/log/nginx/access.log;
    error_log  /var/log/nginx/error.log;

    ssl                         on;
    ssl_certificate             /etc/ssl/myapp.crt;
    ssl_certificate_key         /etc/ssl/myapp.key;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !MEDIUM";
    ssl_dhparam                 /etc/ssl/myapp.pem;
    keepalive_timeout           10;
    ssl_session_cache           shared:SSL:10m;
    ssl_session_timeout         10m;

}

restart nginx

$ sudo /etc/init.d/nginx restart

keep in mind the date this post was posted, the list of ciphers that are safe now, in future may have been broken so it’s always best to check up on whats what