Fedora/Redhat and perfect forward secrecy
Reindl Harald
h.reindl at thelounge.net
Mon Aug 26 14:57:15 UTC 2013
Am 26.08.2013 16:24, schrieb Chuck Anderson:
> On Mon, Aug 26, 2013 at 11:17:52AM +0200, Reindl Harald wrote:
>> cause and effect
>> because Fedora does *not* support Ciphers without large performance impacts
>>
>> in reality without ECDHE you have no way
>> go to https://www.ssllabs.com/ssltest/ and look at the client-handshakes
>> practically no client is using PFS without ECDHE
>>
>> that's the truth if it comes to PFS and Redhat/Fedora
>> http://www.internetstaff.com/roller/blog/entry/enable_elliptical_curve_diffie_hellman
>
> Not Found
>
> The requested URL /roller/blog/entry/enable_elliptical_curve_diffie_hellman was not found on this server.
>
>> http://www.theverge.com/2013/6/26/4468050/facebook-follows-google-with-tough-encryption-standard
and how can i quote from the URL?
http://www.internetstaff.com/roller/blog/entry/enable_elliptical_curve_diffie_hellman
« OpenSwan VPN between... | Main
20130721 Sunday July 21, 2013
Enable Elliptical Curve Diffie-Hellman (ECDHE) in Fedora or Amazon Linux
With all the recent publicity regarding Internet spying, there has been a renewed interest in security and
encryption. One oft-neglected feature of SSL is the ability to use a cipher with Diffie-Hellman key exchange that
enables so-called perfect forward secrecy. The advantage of PFS is that even if your private key is compromised,
recorded past traffic cannot be decrypted.
The problem is that Diffie-Hellman algorithms are very slow. This can be offset to a large degree by using
Elliptical Curve Diffie-Hellman (ECDHE). The problem for Red Hat / CentOS / Fedora users is that Red Hat
intentionally disables ECDHE ciphers (among others) because they're unsure of the patent issues surrounding them.
Fixing this requires a custom compilation of OpenSSL. Luckily, it is readily accomplished using the Fedora source
RPM and does not require rolling your own binaries from scratch. In addition, you must recompile applications
such as Apache's mod_ssl after installing the new OpenSSL packages.
Here's how we enable ECDHE ciphers in Apache on a Fedora or Amazon Linux server:
Download and install the openssl and httpd source RPMs.
Download the official openssl-1.0.1e.tar.gz source package into /root/rpmbuild/SOURCES.
Apply the patch below to /root/rpmbuild/SPECS/openssl.spec
rpmbuild -bb openssl.spec
Install the openssl-libs, and openssl-devel RPMs in /root/rpmbuild/RPMS/arch
rpmbuild -bb httpd.spec
Install the mod_ssl RPM in /root/rpmbuild/RPMS/arch
Edit your Apache config to prefer ECDHE ciphers
Restart Apache
Test your Apache installation with Qualys' SSL Labs to verify your settings
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130826/5be3220d/attachment.sig>
More information about the users
mailing list