Enabling ECC in Fedora and CentOS

Because the recent revelations about PRISM, it feels that everybody is revisiting their security infrastructure.

After testing during many hours the available ciphers in the Apache web server, I realized that it’s impossible to get Perfect Forward Secrecy with Red Hat and its derivatives. See bug #319901

I have decided to recompile openssl and apache for the servers I manage, I have uploaded the scripts I use to this repository: https://github.com/jorti/fedora-compile-with-ecc

They are based on the previous work of Daniel Pocock: http://danielpocock.com/ussing-ecc-ecdsa-in-openssl-and-strongswan-fedora

And this is the configuration I use in Apache, seen in http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/

# /etc/httpd/conf.d/ssl.conf 
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression off
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA
SSLHonorCipherOrder on
# Redirect everything to HTTPS
<IfModule rewrite_module>
   RewriteEngine On
   #LogLevel info rewrite:trace8

   RewriteCond %{HTTP_HOST} !^www.example.com$ [NC]
   RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]

   RewriteCond %{HTTPS} off
   RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]
</IfModule>
<IfModule headers_module>
   Header add Strict-Transport-Security "max-age=15768000; includeSubDomains"
</IfModule>

You can test your web server SSL configuration with this excellent online utility: https://www.ssllabs.com/ssltest/analyze.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s