Get rid of SHA-1 – nginx, TLSv1.2, PFS and SHA-2 · uwot.eu
another meaningless subtitle

Get rid of SHA-1 – nginx, TLSv1.2, PFS and SHA-2

· by fabio · Read in about 1 min · (156 Words)
CentOS 6.5 HTTPS nginx perfect forward secrecy SSL

Everyone who knows me a little bit knows how much I dislike Google but this time we really should thank them for taking a real step toward a more secure web.
They are finally moving away from SHA-1 to the much more secure SHA-2, more info can be found here: http://googleonlinesecurity.blogspot.it/2014/09/gradually-sunsetting-sha-1.html

.:. Setup

CentOS 6.5 x86_64
nginx/1.6.1
OpenSSL 1.0.1e-fips 11 Feb 2013

Nginx developers provide an up to date repository (http://wiki.nginx.org/Install)for CentOS:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

.:. Certificate

To create a SHA-2 signed certificate and self-sign it run:

[root@CentOS ssl]# openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:4096 -keyout server.key -out server.crt
[root@CentOS ssl]# chmod 600 server.*
[root@CentOS ssl]# openssl dhparam -out dhparams.pem 4096
[root@CentOS ssl]# chmod 600 dhparams.pem

.:. nginx and Perfect Forward Secrecy

Forward secrecy is obtained in nginx by adding the following parameters in the HTTPS section

ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam {path to dhparams.pem};