Get rid of SHA-1 – nginx, TLSv1.2, PFS and SHA-2 ·
another meaningless subtitle

Get rid of SHA-1 – nginx, TLSv1.2, PFS and SHA-2

· by fabio · Read in about 1 min · (156 Words)
CentOS 6.5 HTTPS nginx perfect forward secrecy SSL

Everyone who knows me a little bit knows how much I dislike Google but this time we really should thank them for taking a real step toward a more secure web.
They are finally moving away from SHA-1 to the much more secure SHA-2, more info can be found here:

.:. Setup

CentOS 6.5 x86_64
OpenSSL 1.0.1e-fips 11 Feb 2013

Nginx developers provide an up to date repository ( CentOS:

name=nginx repo

.:. Certificate

To create a SHA-2 signed certificate and self-sign it run:

[root@CentOS ssl]# openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:4096 -keyout server.key -out server.crt
[root@CentOS ssl]# chmod 600 server.*
[root@CentOS ssl]# openssl dhparam -out dhparams.pem 4096
[root@CentOS ssl]# chmod 600 dhparams.pem

.:. nginx and Perfect Forward Secrecy

Forward secrecy is obtained in nginx by adding the following parameters in the HTTPS section

ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam {path to dhparams.pem};