Difference between revisions of "PFS"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "= Perfect Forward Secrecy = == Apache 2.2 == == Nginx ==")
 
m
Line 3: Line 3:
 
== Apache 2.2 ==
 
== Apache 2.2 ==
  
 +
Heres an ssl.conf config that can set up PFS for you in Apache:
  
 +
SSLProtocol -ALL +TLSv1
 +
 +
SSLHonorCipherOrder On
 +
 +
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4
 +
 +
Note: Remember to remove any existing settings of the above in your apache configs, if you have dupes, this wont work.
  
  
 
== Nginx ==
 
== Nginx ==
 +
 +
With nginx you have more options to make your configuration more, or less paranoid.  These configuration options are in order of most paranoid (which means they wont with less browsers), to less paranoid. 
 +
 +
=== Most paranoid ===
 +
 +
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 +
 +
ssl_prefer_server_ciphers on;
 +
 +
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED;
 +
 +
Note: If you redefine these somewhere else in your config, this wont work.
 +
 +
=== Paranoid ===
 +
 +
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 +
ssl_prefer_server_ciphers on;
 +
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DES-CBC3-SHA;
 +
 +
Note: If you redefine these somewhere else in your config, this wont work.
 +
 +
=== Good Security and compatible ==
 +
 +
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 +
 +
ssl_prefer_server_ciphers on;
 +
 +
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
 +
 +
Note: If you redefine these somewhere else in your config, this wont work.

Revision as of 12:14, 11 April 2014

Contents

Perfect Forward Secrecy

Apache 2.2

Heres an ssl.conf config that can set up PFS for you in Apache:

SSLProtocol -ALL +TLSv1

SSLHonorCipherOrder On

SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5:!RC4

Note: Remember to remove any existing settings of the above in your apache configs, if you have dupes, this wont work.


Nginx

With nginx you have more options to make your configuration more, or less paranoid. These configuration options are in order of most paranoid (which means they wont with less browsers), to less paranoid.

Most paranoid

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED;

Note: If you redefine these somewhere else in your config, this wont work.

Paranoid

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DES-CBC3-SHA;

Note: If you redefine these somewhere else in your config, this wont work.

= Good Security and compatible

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

Note: If you redefine these somewhere else in your config, this wont work.

Personal tools