Changes between Version 2 and Version 3 of how-to/servers/nginx_https_pfs


Ignore:
Timestamp:
Apr 14, 2014, 3:21:16 PM (7 years ago)
Author:
IMC linksunten
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • how-to/servers/nginx_https_pfs

    v2 v3  
    1 '''Perfect Forward Secrecy with nginx on Debian Wheezy'''
     1= Perfect Forward Secrecy with nginx on Debian Wheezy =
    22
    3 [https://en.wikipedia.org/wiki/Forward_secrecy Perfect Forward Secrecy] (pfs) is a countermeasure against surveillance programs as [https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29 PRISM] by the NSA or [https://en.wikipedia.org/wiki/Telecommunications_data_retention Vorratsdatenspeicherung] in Europe. These programs intercept and store ssl-encrypted traffic which became known as [http://www.spiegel.de/international/world/snowden-reveals-how-gchq-in-britain-soaks-up-mass-internet-data-a-909852.html "full take"] in the [http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html summer of Snowden] in 2013.
     3== Introduction ==
    44
    5 This data can be decrypted at some point of time in the future after the ssl master key has been obtained. That is, unless perfect forward secrecy is used to negotiate session keys between server and client. pfs is based on [http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange Diffie-Hellman key exchange] that never sends the session key which can therefore not be intercepted. The only advantage of stealing the ssl master key when PFS is employed would therefore be a stealthy [https://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle attack].
     5[https://en.wikipedia.org/wiki/Forward_secrecy Perfect Forward Secrecy] (PFS) is a countermeasure against surveillance programs as [https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29 PRISM] by the NSA or [https://en.wikipedia.org/wiki/Telecommunications_data_retention Vorratsdatenspeicherung] in Europe. These programs intercept and store TLS-encrypted traffic which became known as [http://www.spiegel.de/international/world/snowden-reveals-how-gchq-in-britain-soaks-up-mass-internet-data-a-909852.html "full take"] in the [http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html summer of Snowden] in 2013. This data can be decrypted at some point of time in the future after the TLS master key has been obtained (e.g. by a bug like [http://heartbleed.com/ heartbleed]). That is, unless perfect forward secrecy is used to negotiate session keys between server and client. PFS is based on [http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange Diffie-Hellman key exchange] that never sends the session key which can therefore not be intercepted. The only advantage of stealing the TLS master key when PFS is employed would therefore be a stealthy [https://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle attack].
    66
    7 ''One word of caution:'' if you change your setup to pfs you must re-key your server (and obtain a new ssl certificate) or your traffic until this moment will still be vulnerable to decryption if the master ssl key will be stolen in the future.
     7== PFS needs re-keying ==
    88
    9 At the time of writing there are some practical problems when running web servers on Debian. The openssl library in [https://wiki.debian.org/DebianSqueeze Debian squeeze] and the apache web server in [https://wiki.debian.org/DebianWheezy Debian wheezy] are too old for pfs. But nginx web server in Debian wheezy is ready for pfs and nginx makes a good ssl offloader.
     9''One word of caution:'' if you change your setup to PFS you must re-key your server (and obtain a new TLS certificate) or your traffic until this moment will still be vulnerable to decryption if the master TLS key will be stolen in the future.
     10
     11== Debian and PFS ==
     12
     13At the time of writing there are some practical problems when running web servers on Debian. The openssl library in [https://wiki.debian.org/DebianSqueeze Debian squeeze] and the apache web server in [https://wiki.debian.org/DebianWheezy Debian wheezy] are too old for PFS. But nginx web server in Debian wheezy is ready for PFS and nginx works well as TLS offloader. This document is written for [https://packages.debian.org/wheezy/nginx nginx] version 1.2.1-2.2+wheezy2 and [https://packages.debian.org/wheezy/openssl openssl] version 1.0.1e-2+deb7u6.
     14
     15== Choose the cipher suite ==
     16
     17[https://bettercrypto.org/ bettercrypto.org] suggests the following cipher suite:
     18{{{
     19EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
     20}}}
     21
     22From a theoretical point of view, this might be perfect. But from a practical point of view, old versions of the Internet Explorer web browser cannot use any of the above cipher suites. So a compromise might be to offer [http://en.wikipedia.org/wiki/RC4 RC4] stream cipher as a fall back cipher, although even [http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx Microsoft suggests] to disable RC4 where possible.
     23
     24The TLS settings for nginx therefore look like this:
     25{{{
     26ssl_prefer_server_ciphers on;
     27ssl_protocols TLSv1.2 TLSv1.1 TLSv1 SSLv3;
     28ssl_ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA:RC4-SHA;
     29}}}