2. Rules
⢠Askâif you have a question
⢠Askâif you donât understand something
⢠Askâif you want to know more
⢠Shoutâif I get something wrong
3. nginx why use it?
⢠I use it since approximately 2008
⢠Asynchronous event-driven
⢠Multiple workers (fork)
⢠Modular architecture
⢠Used by e.g. WordPress, GitHub, Golem.de
4. OpenSSL why use it?
⢠Supported by all major (*nix) software
⢠Can be compiled directly into nginx
⢠Lotâs of ciphers supported
⢠Almost a standard today
5. Forward Secrecy
ââŚallows today information to be kept secret
even if the private key is compromised in the future.â
Vincent Bernat, PhD
6. TLS AES128-SHA how does it work?
⢠Server presents certificate
⢠Both agree on master secret
⢠Built from 48byte premaster
secret gen. and encrypted by
client w. public key of server
⢠Master secret derived from
premaster secret + random
values via plain text
⢠Authentication and encryption
w. same private key!
Vincent Bernat http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
7. Solution Ephemeral Diffie-Hellman
⢠Use different key for authentication and encryption
⢠Extending classic TLS handshake
Server sends a Server Key Exchange message
after regular Certificate message
8. How To very easy with nginx
https://github.com/MovLib/www/blob/master/conf/nginx/conf/ssl.conf
9. Validate do things work?
⢠Localhost: openssl s_client -tls1 -cipher ECDH -connect 127.0.0.1:443
⢠Online: https://www.ssllabs.com/ssltest/analyze.html
10. Thank you
⢠More in my master thesis
⢠Questions about nginx, PHP, Debian/Ubuntu?
richard@fussenegger.info