So you have been reading all the press on forward secrecy and want to deploy it? But does your OpenSSL support it? Thankfully it is easy to tell, just run this command:
> openssl ciphers
If you see ciphers like “ECDHE-RSA-AES256-GCM-SHA384” then you have a version of OpenSSL that was built with ECC and ECDHE support enabled which is required if you want forward secrecy today.
So how do you go about doing this? Thankfully you don’t need to be a developer of cryptographer, with the following commands you should be able to get the latest (as of the time of this post) OpenSSL with ECC and ECDH enabled.
root> cp /usr/bin/openssl /usr/bin/openssl.orig root> cd /tmp root> wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz root> tar -xvzf openssl-1.0.1e.tar.gz root> cd openssl-1.0.1e root> ./config no-shared no-threads root> make depend root> make root> make install
You may also need to re-build your web server,you see even though the latest versions of Nginx and Apache include the necessary changes to enable ECDH if the version you are running was built against a version of OpenSSL that did not include support your going to have to rebuild it also. Here is a quick post on how to do that for Nginx.
Good luck!
Ryan
Pingback: How to get the latest stable OpenSSL, Apache and Nginx
Pingback: Deploying forward secrecy on RedHat, Centos or Fedora based systems
Pingback: Deploying SSL – How to get your server configuration right
Pingback: Build your own OpenSSL | 0ddn1x: tricks with *nix