Welcome to Centmin Mod Community
Register Now

Nginx Nginx ssl cipher suite

Discussion in 'Centmin Mod Insights' started by rdan, Jul 7, 2014.

  1. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:24 AM
    Mainline
    10.2
    I'm using Comodo before, they have 2 intermediate that needs to concatenate with the domain resulting 3 cert on unified file.
    Resulting 8KB file just for unified.crt

    That's why I transfer to Rapidssl, Only 2 cert having 3-4 kb file.

     
  2. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    8:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    i think depending on cert some roots would be required if the browser doesn't contain a copy https://www.namecheap.com/support/k...x/886/38/chained-and-single-root-certificates and i don't think older browser problem was cert type related but your chosen ciphers ;)

    but for @BamaStangGuy your root is already in trust store so not needed AFAIK

    Yeah Comodo EssentialSSL has 5 files. While Comodo Positive SSL as well as Comodo SSL/Wildcard SSL all have 3 total

    Code:
    » ComodoSSL / ComodoSSL Wildcard / ComodoSSL UCC
    » Root: AddTrustExternalCARoot.crt
    » Intermediate: ComodoSSLCA.crt
    » End-Entity/Domain Certificate
    
    » EssentialSSL / Free Certificate
    » Root: AddTrustExternalCARoot.crt
    » Intermediate 1: UTNAddTrustSGCCA.crt
    » Intermediate 2: ComodoUTNSGCCA.crt
    » Intermediate 3: EssentialSSLCA_2.crt
    » End-Entity/Domain Certificate
    
    » PositiveSSL
    » Root: AddTrustExternalCARoot.crt
    » Intermediate: PositiveSSLCA2.crt
    » End-Entity/Domain Certificate 
     
  3. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:24 AM
    Mainline
    10.2
    That's bad!
    5 cert to load on first time visitor, wooh!
     
  4. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    8:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah quite a few.. I just stick with Wildcard certs myself - if you need to protect >5 subdomains, then wildcard SSL work out cheaper than individual SSL for each subdomain :D
     
  5. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    8:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    This forum's Nginx and OpenSSL configuration has been updated to Nginx 1.7.3 and Centmin Mod Nginx's static compiled OpenSSL 1.0.1h has been patched with Cloudflare RC4 Kill patched OpenSSL version outlined at https://community.centminmod.com/threads/nginx-ssl-cipher-suite.714/#post-3341
    Nginx 1.7.3 updated

    Code:
    nginx -V
    nginx version: nginx/1.7.3
    built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
    TLS SNI support enabled
    configure arguments: --with-cc-opt='-I/svr-setup/staticlibssl/include -I/usr/include' --with-ld-opt='-L/svr-setup/staticlibssl/lib -Wl,-rpath -lssl -lcrypto -ldl -lz' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_flv_module --with-http_realip_module --with-http_geoip_module --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.1 --add-module=../headers-more-nginx-module-0.25 --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --with-http_dav_module --add-module=../nginx-dav-ext-module-0.0.3 --with-openssl=../openssl-1.0.1h --with-libatomic --with-pcre=../pcre-8.35 --with-pcre-jit --with-http_spdy_module --add-module=../ngx_pagespeed-release-1.8.31.4-beta
    
    You can see the patch working on IE8 as it skips all RC4 preferred and prioritised SSL ciphers in it's profile at https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8&platform=XP and opts for TLS_RSA_WITH_3DES_EDE_CBC_SHA

    Handshake Simulation
     
    Last edited: Jul 9, 2014
  6. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:24 AM
    Mainline
    10.2
    I think it's better to include Cloudflare patch as Default on Centmin Mod ;)
     
  7. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    8:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Added as an option in .08 beta but disabled by default as it's unknown when the next openssl 1.01.x build will break and not be compatible with the patch - committed to .08 beta on Github https://github.com/centminmod/centminmod/commits/123.08beta01 ;) This time no alternate zips it's easier to manage if work from Github for .08 beta01 and .08 centos 7 beta 01 branches :)
     
  8. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    5:24 PM
    I have fixed this now. Thanks.
     
  9. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    8:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    looking better :)
     
  10. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:24 AM
    Mainline
    10.2
    Please also include this on the stable release zip?
     
  11. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    8:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    .07 stable only gets bug fix updates now. Newer features such as this go into .08 beta+ for now :)
     
  12. Andy

    Andy Active Member

    544
    89
    28
    Aug 6, 2014
    Ratings:
    +133
    Local Time:
    5:24 PM
    I just order rapidssl and they only emailed me the server cert as well as intermediate.crt
    I saw that you need the root.pem to generate trusted.crt, where did you get that root.pem?
     
  13. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    8:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Google led me to RapidSSL - Knowledge Center - SSL Certificates Support - but asking RapidSSL support probably better
     
  14. Andy

    Andy Active Member

    544
    89
    28
    Aug 6, 2014
    Ratings:
    +133
    Local Time:
    5:24 PM
    Got the cert installed correctly according to
    RapidSSL - Knowledge Center - SSL Certificates Support
    and SSLLabs give me a A+ score but OSCP is not working
    Qualys SSL Labs - Projects / SSL Server Test / quantnet.com

    I basically followed your guide on ssl
    Code:
    server {
            listen 443 ssl spdy;
             server_name quantnet.com;
    
            ssl_certificate      /usr/local/nginx/conf/ssl/quantnet.com/ssl-unified.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/quantnet.com/ssl.key;
    
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache      shared:SSL:10m;
            ssl_session_timeout  10m;
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GC$
            ssl_prefer_server_ciphers   on;
            add_header Alternate-Protocol  443:npn-spdy/3;
            add_header Strict-Transport-Security "max-age=31536000;";
    
            resolver 8.8.8.8;
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_trusted_certificate /usr/local/nginx/conf/ssl/quantnet.com/ssl-trusted.crt;
    The ssl-trusted.crt is the part I'm not sure.

    Here is the ssl instruction for nginx RapidSSL - Knowledge Center - SSL Certificates Support

    What missing from this and your instruction to create trusted.crt is the root.pem. Is this something called differently with rapidssl?
     
  15. Andy

    Andy Active Member

    544
    89
    28
    Aug 6, 2014
    Ratings:
    +133
    Local Time:
    5:24 PM
    Solved.
    According to this thread nginx - OCSP validation - unable to get local issuer certificate - Server Fault

    I need to get the GeoTrust_Global_CA.crt and rapidsslG3.crt

    I got the GeoTrust directly from geotrust website. The rapidsslg3 is the intermediate cert that included in the email.

    Then we can just do cat Intermediate.crt GeoTrust_Global_CA.crt > ssl-trusted.crt

    Now, OSCD is working
     
  16. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:24 AM
    Mainline
    10.2
  17. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:24 AM
    Mainline
    10.2
  18. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    8:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: May 17, 2015
  19. rdan

    rdan Well-Known Member

    5,449
    1,410
    113
    May 25, 2014
    Ratings:
    +2,204
    Local Time:
    6:24 AM
    Mainline
    10.2
  20. eva2000

    eva2000 Administrator Staff Member

    55,156
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    8:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+