(Perfect) Forward Secrecy
with nginx and OpenSSL
by Richard Fussenegger, BSc
Rules
•	Ask—if you have a question
•	Ask—if you don’t understand something
•	Ask—if you want to know more
•	Shout—if I get...
nginx why use it?
•	I use it since approximately 2008
•	Asynchronous event-driven
•	Multiple workers (fork)
•	Modular arch...
OpenSSL why use it?
•	Supported by all major (*nix) software
•	Can be compiled directly into nginx
•	Lot’s of ciphers supp...
Forward Secrecy
“…allows today information to be kept secret
	

even if the private key is compromised in the future.”
Vin...
TLS AES128-SHA how does it work?
•	Server presents certificate
•	Both agree on master secret
•	Built from 48byte premaster...
Solution Ephemeral Diffie-Hellman
•	Use different key for authentication and encryption
•	Extending classic TLS handshake
...
How To very easy with nginx
https://github.com/MovLib/www/blob/master/conf/nginx/conf/ssl.conf
Validate do things work?
•	Localhost: openssl

s_client -tls1 -cipher ECDH -connect 127.0.0.1:443

•	Online: https://www.s...
Thank you
•	More in my master thesis
•	Questions about nginx, PHP, Debian/Ubuntu?
richard@fussenegger.info
Upcoming SlideShare
Loading in...5
×

Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL

415

Published on

The slides I used during the presentation.

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
415
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL

  1. 1. (Perfect) Forward Secrecy with nginx and OpenSSL by Richard Fussenegger, BSc
  2. 2. Rules • Ask—if you have a question • Ask—if you don’t understand something • Ask—if you want to know more • Shout—if I get something wrong
  3. 3. nginx why use it? • I use it since approximately 2008 • Asynchronous event-driven • Multiple workers (fork) • Modular architecture • Used by e.g. WordPress, GitHub, Golem.de
  4. 4. OpenSSL why use it? • Supported by all major (*nix) software • Can be compiled directly into nginx • Lot’s of ciphers supported • Almost a standard today
  5. 5. Forward Secrecy “…allows today information to be kept secret even if the private key is compromised in the future.” Vincent Bernat, PhD
  6. 6. TLS AES128-SHA how does it work? • Server presents certificate • Both agree on master secret • Built from 48byte premaster secret gen. and encrypted by client w. public key of server • Master secret derived from premaster secret + random values via plain text • Authentication and encryption w. same private key! Vincent Bernat http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
  7. 7. Solution Ephemeral Diffie-Hellman • Use different key for authentication and encryption • Extending classic TLS handshake Server sends a Server Key Exchange message after regular Certificate message
  8. 8. How To very easy with nginx https://github.com/MovLib/www/blob/master/conf/nginx/conf/ssl.conf
  9. 9. Validate do things work? • Localhost: openssl s_client -tls1 -cipher ECDH -connect 127.0.0.1:443 • Online: https://www.ssllabs.com/ssltest/analyze.html
  10. 10. Thank you • More in my master thesis • Questions about nginx, PHP, Debian/Ubuntu? richard@fussenegger.info
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×