Centos 6.5 and ECDH ciphers in nginx.org Centos repo

Detlef_R · January 6, 2014, 4:57am

Hi

In Centos 6.5 (and RHEL 6.5) the ECDH ciphers were enabled. There
appears to be an issue with the nginx.org 1.5.8 Centos binaries still
not having support for ECDHE despite having updated openssl 1.01e with
elliptic curves.

If I compile from source, ECDH works fine. Is there something wrong with
the centos binaries?

Ciphers on Centos 6.5:

[[email protected] conf.d]$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5

ECDHE test:
openssl s_client -tls1_2 -cipher ECDH -connect 127.0.0.1:443
CONNECTED(00000003)
139798957754184:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1256:SSL alert number 40
139798957754184:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 0 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Thanks
-Nick

afriend · January 6, 2014, 11:07am

On Sun, Jan 5, 2014 at 10:56 PM, Nick J. [email protected]
wrote:

Hi

In Centos 6.5 (and RHEL 6.5) the ECDH ciphers were enabled. There appears to be
an issue with the nginx.org 1.5.8 Centos binaries still not having support for
ECDHE despite having updated openssl 1.01e with elliptic curves.

If I compile from source, ECDH works fine. Is there something wrong with the
centos binaries?

http://unix.stackexchange.com/questions/84283/how-can-i-get-tlsv1-2-support-in-apache-on-rhel6-centos-sl6

Though the question is about Apache, it specifically calls out nginx
as needing a recompile on the platform after updating from OpenSSL
1.0.0 to OpenSSL 1.0.1 due to static linking.

Jeff

afriend · January 6, 2014, 11:11am

RHEL used 1.0.0 in 6.4, however in 6.5 it was updated to OpenSSL
1.0.1e-fips 11 Feb 2013
See:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.5_Release_Notes/

Like I said, if I compile nginx myself it ECDH works fine. Its the
nginx.org binaries that do not work. So it would appear the nginx.org
binaries are statically compiled against the older version, so I guess
the question is when will the nginx.org builds be built on 6.5?
-Nick

afriend · January 6, 2014, 11:28am

On Mon, Jan 6, 2014 at 5:10 AM, Nick J. [email protected] wrote:

RHEL used 1.0.0 in 6.4, however in 6.5 it was updated to OpenSSL 1.0.1e-fips 11
Feb 2013
See:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.5_Release_Notes/

Like I said, if I compile nginx myself it ECDH works fine. It’s the nginx.org
binaries that do not work. So it would appear the nginx.org binaries are
statically compiled against the older version…

That’s easy enought to check. Run ldd on it an look for an OpenSSL
dependency. If SSL/TLS is eanbled and the dependency is missing, then
nginx was statically linked against OpenSSL. Below, nginx was built
with a dependency on the shared object.

$ ldd objs/nginx
linux-vdso.so.1 => (0x00007fff85f96000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f9f0345b000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f9f0323f000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007f9f03007000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3
(0x00007f9f02dca000)
libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f9f02b6a000)
libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007f9f02785000)
…

so I guess the question is when will the nginx.org builds be built on 6.5?
Sorry, I can’t help. I believe that’s a question for the Red Hat or
CentOS folks.

Jeff

afriend · January 6, 2014, 1:55pm

Hello!

On Mon, Jan 06, 2014 at 02:56:23PM +1100, Nick J. wrote:

Ciphers on Centos 6.5:
[…]

This is expected. Builds are done for CentOS 6, not just CentOS
6.5, so they are done with OpenSSL as available in previous
versions to ensure compatibility with previous versions of CentOS 6.

–
Maxim D.
http://nginx.org/