2. Rules
• Ask—if you have a question
• Ask—if you don’t understand something
• Ask—if you want to know more
• Shout—if I get something wrong
3. nginx why use it?
• I use it since approximately 2008
• Asynchronous event-driven
• Multiple workers (fork)
• Modular architecture
• Used by e.g. WordPress, GitHub, Golem.de
4. OpenSSL why use it?
• Supported by all major (*nix) software
• Can be compiled directly into nginx
• Lot’s of ciphers supported
• Almost a standard today
5. Forward Secrecy
“…allows today information to be kept secret
even if the private key is compromised in the future.”
Vincent Bernat, PhD
6. TLS AES128-SHA how does it work?
• Server presents certificate
• Both agree on master secret
• Built from 48byte premaster
secret gen. and encrypted by
client w. public key of server
• Master secret derived from
premaster secret + random
values via plain text
• Authentication and encryption
w. same private key!
Vincent Bernat http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
7. Solution Ephemeral Diffie-Hellman
• Use different key for authentication and encryption
• Extending classic TLS handshake
Server sends a Server Key Exchange message
after regular Certificate message
8. How To very easy with nginx
https://github.com/MovLib/www/blob/master/conf/nginx/conf/ssl.conf
9. Validate do things work?
• Localhost: openssl s_client -tls1 -cipher ECDH -connect 127.0.0.1:443
• Online: https://www.ssllabs.com/ssltest/analyze.html
10. Thank you
• More in my master thesis
• Questions about nginx, PHP, Debian/Ubuntu?
richard@fussenegger.info