Comments on Implementing SSL Perfect Forward Secrecy in NGINX Web-Server

This HOW-TO describes the process of implementing Perfect Forward Secrecy with the NGINX web-server on Debian and Ubuntu systems. The process can readily be adapted to other GNU/Linux systems.

6 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Wes Johnson
Reply  

The ciphers suggested in this article actually led to a poorer ssllabs / Qualys test result than when I didn't have PFS enabled. I'd suggest updating this article with the info at Qualys:

 https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy 

Specifically, the following ciphers led me to an A rating:

EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4

 Thanks for the article though, led me to the right place.

By:
Reply  

Thank you for the comment, Wes. A couple of observations, however:

The only difference in the cipher-suite string in the cited article vs. the string in your comment is that you removed " !MEDIUM" and added " +RC4 RC4" in its place. I don't see how this measure could possibly increase your score, given that removing " !MEDIUM" should lower your score (if anything), and likewise adding " +RC4 RC4" should lower your score (if anything).

With regard to the rationale, " !MEDIUM" removes support for medium-strength ciphers, and while perhaps not substantially insecure in the context of TLS, adding " +RC4 RC4" cannot possibly make your implementation more secure. (For more information regarding RC4, see https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what and http://crypto.stackexchange.com/questions/853/google-is-using-rc4-but-isnt-rc4-considered-unsafe.)

Also, I just tried using the string that you supplied and my overall score doesn't change, not do any of the four sub-scores (they remain A+, 100, 95, 90, 90).

Are you sure that you didn't make several changes at once and misinterpret the test results?

By: timothy smy
Reply  

after running service nginx restartfist time in your howto got

Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.

By: timothy smy
Reply  

this is a update to my last post

root@mail:~# nginx -t -c /etc/nginx/nginx.confnginx: [warn] duplicate value "TLSv1" in /etc/nginx/perfect-forward-secrecy.conf:1nginx: [warn] duplicate value "TLSv1.1" in /etc/nginx/perfect-forward-secrecy.conf:1nginx: [warn] duplicate value "TLSv1.2" in /etc/nginx/perfect-forward-secrecy.conf:1nginx: [emerg] "ssl_prefer_server_ciphers" directive is duplicate in /etc/nginx/perfect-forward-secrecy.conf:2nginx: configuration file /etc/nginx/nginx.conf test failed

By: CodingKiwi
Reply  

Dude. My Server was busy generating that pem file for like... 5 days or so. I ran out of food and water, all I could see was dots and plus-signs. Send Help.

By: Victor Tavares
Reply  

Thank you very much, mate. Your solutions worked awesome to me. I just had to change the RC4  to  !RC4 at ssl_ciphers  to get A rating, too.

 

Thanks aigan!