Forum: NGINX Centos 6.5 and ECDH ciphers in nginx.org Centos repo

051b5b2bf0e2795b16453817b72d5199?d=identicon&s=25 Nick Jenkin (Guest)
on 2014-01-06 04:57
(Received via mailing list)
Hi

In Centos 6.5 (and RHEL 6.5) the ECDH ciphers were enabled. There
appears to be an issue with the nginx.org 1.5.8 Centos binaries still
not having support for ECDHE despite having updated openssl 1.01e with
elliptic curves.

If I compile from source, ECDH works fine. Is there something wrong with
the centos binaries?

Ciphers on Centos 6.5:

[nick@dev9145 conf.d]$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5

ECDHE test:
openssl s_client -tls1_2 -cipher ECDH -connect 127.0.0.1:443
CONNECTED(00000003)
139798957754184:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1256:SSL alert number 40
139798957754184:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE



Thanks
-Nick
8d313c5d85c52a953e498c4f66d59c8a?d=identicon&s=25 Jeffrey Walton (Guest)
on 2014-01-06 11:07
(Received via mailing list)
On Sun, Jan 5, 2014 at 10:56 PM, Nick Jenkin <nick@thenile.com.au>
wrote:
> Hi
>
> In Centos 6.5 (and RHEL 6.5) the ECDH ciphers were enabled. There appears to be
an issue with the nginx.org 1.5.8 Centos binaries still not having support for
ECDHE despite having updated openssl 1.01e with elliptic curves.
>
> If I compile from source, ECDH works fine. Is there something wrong with the
centos binaries?
>
http://unix.stackexchange.com/questions/84283/how-...

Though the question is about Apache, it specifically calls out nginx
as needing a recompile on the platform after updating from OpenSSL
1.0.0 to OpenSSL 1.0.1 due to static linking.

Jeff
051b5b2bf0e2795b16453817b72d5199?d=identicon&s=25 Nick Jenkin (Guest)
on 2014-01-06 11:11
(Received via mailing list)
RHEL used 1.0.0 in 6.4, however in 6.5 it was updated to OpenSSL
1.0.1e-fips 11 Feb 2013
See:
https://access.redhat.com/site/documentation/en-US...

Like I said, if I compile nginx myself it ECDH works fine. Its the
nginx.org binaries that do not work. So it would appear the nginx.org
binaries are statically compiled against the older version, so I guess
the question is when will the nginx.org builds be built on 6.5?
-Nick
8d313c5d85c52a953e498c4f66d59c8a?d=identicon&s=25 Jeffrey Walton (Guest)
on 2014-01-06 11:28
(Received via mailing list)
On Mon, Jan 6, 2014 at 5:10 AM, Nick Jenkin <nick@thenile.com.au> wrote:
> RHEL used 1.0.0 in 6.4, however in 6.5 it was updated to OpenSSL 1.0.1e-fips 11
Feb 2013
> See:
https://access.redhat.com/site/documentation/en-US...
>
> Like I said, if I compile nginx myself it ECDH works fine. It’s the nginx.org
binaries that do not work. So it would appear the nginx.org binaries are
statically compiled against the older version...

That's easy enought to check. Run ldd on it an look for an OpenSSL
dependency. If SSL/TLS is eanbled and the dependency is missing, then
nginx was statically linked against OpenSSL. Below, nginx was built
with a dependency on the shared object.

$ ldd objs/nginx
    linux-vdso.so.1 =>  (0x00007fff85f96000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f9f0345b000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f9f0323f000)
    libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007f9f03007000)
    libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3
(0x00007f9f02dca000)
    libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007f9f02b6a000)
    libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007f9f02785000)
    ...

> so I guess the question is when will the nginx.org builds be built on 6.5?
Sorry, I can't help. I believe that's a question for the Red Hat or
CentOS folks.

Jeff
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-01-06 13:55
(Received via mailing list)
Hello!

On Mon, Jan 06, 2014 at 02:56:23PM +1100, Nick Jenkin wrote:

> Ciphers on Centos 6.5:
[...]

This is expected.  Builds are done for CentOS 6, not just CentOS
6.5, so they are done with OpenSSL as available in previous
versions to ensure compatibility with previous versions of CentOS 6.

--
Maxim Dounin
http://nginx.org/
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.