= Perfect Forward Secrecy with nginx on Debian Wheezy = == Introduction == [https://en.wikipedia.org/wiki/Forward_secrecy Perfect Forward Secrecy] (PFS) is a countermeasure against surveillance programs as [https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29 PRISM] by the [http://en.wikipedia.org/wiki/National_Security_Agency NSA] or [https://en.wikipedia.org/wiki/Telecommunications_data_retention Vorratsdatenspeicherung] in Europe. These programs intercept and store [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS]-encrypted traffic which became known as [http://www.spiegel.de/international/world/snowden-reveals-how-gchq-in-britain-soaks-up-mass-internet-data-a-909852.html "full take"] in the [http://america.aljazeera.com/articles/multimedia/timeline-edward-snowden-revelations.html summer of Snowden] in 2013. This data can be decrypted at some point of time in the future after the TLS master key has been obtained (e.g. by a bug like [http://heartbleed.com/ heartbleed]). That is, unless perfect forward secrecy is used to negotiate session keys between server and client. PFS is based on [http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange Diffie-Hellman key exchange] that never sends the session key which can therefore not be intercepted. The only advantage of stealing the TLS master key when PFS is employed would therefore be a stealthy [https://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle attack]. == PFS needs re-keying == ''One word of caution:'' if you change your setup to PFS you should re-key your server (and obtain a new TLS certificate) or your traffic until this moment will still be vulnerable to decryption if the master TLS key will be stolen in the future. == Debian and PFS == At the time of writing there are some practical problems when running web servers on Debian. The openssl library in [https://wiki.debian.org/DebianSqueeze Debian squeeze] and the apache web server in [https://wiki.debian.org/DebianWheezy Debian wheezy] are too old for PFS. But nginx web server in Debian wheezy is ready for PFS and nginx works well as TLS offloader. This document is written for [https://packages.debian.org/wheezy/nginx nginx] version 1.2.1-2.2+wheezy2 and [https://packages.debian.org/wheezy/openssl openssl] version 1.0.1e-2+deb7u6. == Choose the cipher suite == [https://bettercrypto.org/ bettercrypto.org] suggests the following cipher suite: {{{ EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA }}} From a theoretical point of view, this might be perfect. But from a practical point of view, old versions of the Internet Explorer web browser cannot use any of the above cipher suites. So a compromise might be to offer [http://en.wikipedia.org/wiki/RC4 RC4] stream cipher as a fall back cipher, although even [http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx Microsoft suggests] to disable RC4 where possible. The TLS settings for nginx therefore look like this: {{{ ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.1 TLSv1 SSLv3; ssl_ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA:RC4-SHA; }}}