Fedora/Redhat and perfect forward secrecy

Reindl Harald h.reindl at thelounge.net
Mon Aug 26 14:57:15 UTC 2013 


Am 26.08.2013 16:24, schrieb Chuck Anderson:
> On Mon, Aug 26, 2013 at 11:17:52AM +0200, Reindl Harald wrote:
>> cause and effect
>> because Fedora does *not* support Ciphers without large performance impacts
>>
>> in reality without ECDHE you have no way
>> go to https://www.ssllabs.com/ssltest/ and look at the client-handshakes
>> practically no client is using PFS without ECDHE
>>
>> that's the truth if it comes to PFS and Redhat/Fedora
>> http://www.internetstaff.com/roller/blog/entry/enable_elliptical_curve_diffie_hellman
> 
> Not Found
> 
> The requested URL /roller/blog/entry/enable_elliptical_curve_diffie_hellman was not found on this server.
> 
>> http://www.theverge.com/2013/6/26/4468050/facebook-follows-google-with-tough-encryption-standard

and how can i quote from the URL?
http://www.internetstaff.com/roller/blog/entry/enable_elliptical_curve_diffie_hellman

« OpenSwan VPN between... | Main
20130721 Sunday July 21, 2013

Enable Elliptical Curve Diffie-Hellman (ECDHE) in Fedora or Amazon Linux

With all the recent publicity regarding Internet spying, there has been a renewed interest in security and
encryption. One oft-neglected feature of SSL is the ability to use a cipher with Diffie-Hellman key exchange that
enables so-called perfect forward secrecy. The advantage of PFS is that even if your private key is compromised,
recorded past traffic cannot be decrypted.

The problem is that Diffie-Hellman algorithms are very slow.  This can be offset to a large degree by using
Elliptical Curve Diffie-Hellman (ECDHE).  The problem for Red Hat / CentOS / Fedora users is that Red Hat
intentionally disables ECDHE ciphers (among others) because they're unsure of the patent issues surrounding them.

Fixing this requires a custom compilation of OpenSSL.  Luckily, it is readily accomplished using the Fedora source
RPM and does not require rolling your own binaries from scratch.   In addition, you must recompile applications
such as Apache's mod_ssl after installing the new OpenSSL packages.

Here's how we enable ECDHE ciphers in Apache on a Fedora or Amazon Linux server:

    Download and install the openssl and httpd source RPMs.
    Download the official openssl-1.0.1e.tar.gz source package into /root/rpmbuild/SOURCES.
    Apply the patch below to /root/rpmbuild/SPECS/openssl.spec
    rpmbuild -bb openssl.spec
    Install the openssl-libs, and openssl-devel RPMs in /root/rpmbuild/RPMS/arch
    rpmbuild -bb httpd.spec
    Install the mod_ssl RPM in /root/rpmbuild/RPMS/arch
    Edit your Apache config to prefer ECDHE ciphers
    Restart Apache
    Test your Apache installation with Qualys' SSL Labs to verify your settings

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130826/5be3220d/attachment.sig>

More information about the users mailing list