Perfect Forward Secrecy

One of the new features in 0.27.3 will be perfect forward secrecy for SSL.

http://www.computerworld.com/article/2473792/encryption/perfect-forward-secrecy-can-block-the-nsa-from-secure-web-pages–but-no-one-uses-it.html
http://en.wikipedia.org/wiki/Forward_secrecy
http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html

Enabling perfect forward secrecy involves picking an up to date version of OpenSSL compiled with the right options and using the appropriate ciphersuite. Do note that older clients (Windows XP) are at odds with secure SSL configuration – there’s no way to get both right at the same time. This suggested configuration is a compromise:

ssl_option no_sslv2
ssl_option no_sslv3
#ssl_option no_tlsv1
ssl_option cipher_server_preference
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

This configuration won’t work with IE6 on XP; hopefully nobody uses that anymore. The extremely long string at the end is the ciphersuite suggested by Mozilla for intermediate compatibility at the time of writing. For the full story, see here:

https://wiki.mozilla.org/Security/Server_Side_TLS

Facebooktwittergoogle_plusredditpinterestlinkedinmail

2 thoughts on “Perfect Forward Secrecy

Leave a Reply

Your email address will not be published. Required fields are marked *