Welcome to Centmin Mod Community
Become a Member

Nginx Nginx ssl cipher suite

Discussion in 'Centmin Mod Insights' started by rdan, Jul 7, 2014.

  1. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    12:41 PM
    Mainline
    10.2
    I'm using Comodo before, they have 2 intermediate that needs to concatenate with the domain resulting 3 cert on unified file.
    Resulting 8KB file just for unified.crt

    That's why I transfer to Rapidssl, Only 2 cert having 3-4 kb file.
     
  2. eva2000

    eva2000 Administrator Staff Member

    43,042
    9,772
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,087
    Local Time:
    2:41 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    i think depending on cert some roots would be required if the browser doesn't contain a copy https://www.namecheap.com/support/k...x/886/38/chained-and-single-root-certificates and i don't think older browser problem was cert type related but your chosen ciphers ;)

    but for @BamaStangGuy your root is already in trust store so not needed AFAIK

    Yeah Comodo EssentialSSL has 5 files. While Comodo Positive SSL as well as Comodo SSL/Wildcard SSL all have 3 total

    Code:
    » ComodoSSL / ComodoSSL Wildcard / ComodoSSL UCC
    » Root: AddTrustExternalCARoot.crt
    » Intermediate: ComodoSSLCA.crt
    » End-Entity/Domain Certificate
    
    » EssentialSSL / Free Certificate
    » Root: AddTrustExternalCARoot.crt
    » Intermediate 1: UTNAddTrustSGCCA.crt
    » Intermediate 2: ComodoUTNSGCCA.crt
    » Intermediate 3: EssentialSSLCA_2.crt
    » End-Entity/Domain Certificate
    
    » PositiveSSL
    » Root: AddTrustExternalCARoot.crt
    » Intermediate: PositiveSSLCA2.crt
    » End-Entity/Domain Certificate 
     
  3. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    12:41 PM
    Mainline
    10.2
    That's bad!
    5 cert to load on first time visitor, wooh!
     
  4. eva2000

    eva2000 Administrator Staff Member

    43,042
    9,772
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,087
    Local Time:
    2:41 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yeah quite a few.. I just stick with Wildcard certs myself - if you need to protect >5 subdomains, then wildcard SSL work out cheaper than individual SSL for each subdomain :D
     
  5. eva2000

    eva2000 Administrator Staff Member

    43,042
    9,772
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,087
    Local Time:
    2:41 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    This forum's Nginx and OpenSSL configuration has been updated to Nginx 1.7.3 and Centmin Mod Nginx's static compiled OpenSSL 1.0.1h has been patched with Cloudflare RC4 Kill patched OpenSSL version outlined at https://community.centminmod.com/threads/nginx-ssl-cipher-suite.714/#post-3341
    Nginx 1.7.3 updated

    Code:
    nginx -V
    nginx version: nginx/1.7.3
    built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
    TLS SNI support enabled
    configure arguments: --with-cc-opt='-I/svr-setup/staticlibssl/include -I/usr/include' --with-ld-opt='-L/svr-setup/staticlibssl/lib -Wl,-rpath -lssl -lcrypto -ldl -lz' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_flv_module --with-http_realip_module --with-http_geoip_module --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.1 --add-module=../headers-more-nginx-module-0.25 --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --with-http_dav_module --add-module=../nginx-dav-ext-module-0.0.3 --with-openssl=../openssl-1.0.1h --with-libatomic --with-pcre=../pcre-8.35 --with-pcre-jit --with-http_spdy_module --add-module=../ngx_pagespeed-release-1.8.31.4-beta
    
    You can see the patch working on IE8 as it skips all RC4 preferred and prioritised SSL ciphers in it's profile at https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8&platform=XP and opts for TLS_RSA_WITH_3DES_EDE_CBC_SHA

    Handshake Simulation
     
    Last edited: Jul 9, 2014
  6. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    12:41 PM
    Mainline
    10.2
    I think it's better to include Cloudflare patch as Default on Centmin Mod ;)
     
  7. eva2000

    eva2000 Administrator Staff Member

    43,042
    9,772
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,087
    Local Time:
    2:41 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Added as an option in .08 beta but disabled by default as it's unknown when the next openssl 1.01.x build will break and not be compatible with the patch - committed to .08 beta on Github https://github.com/centminmod/centminmod/commits/123.08beta01 ;) This time no alternate zips it's easier to manage if work from Github for .08 beta01 and .08 centos 7 beta 01 branches :)
     
  8. BamaStangGuy

    BamaStangGuy Premium Member Premium Member

    635
    185
    43
    May 25, 2014
    Ratings:
    +255
    Local Time:
    10:41 PM
    I have fixed this now. Thanks.
     
    • Like Like x 1
  9. eva2000

    eva2000 Administrator Staff Member

    43,042
    9,772
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,087
    Local Time:
    2:41 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    looking better :)
     
  10. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    12:41 PM
    Mainline
    10.2
    Please also include this on the stable release zip?
     
  11. eva2000

    eva2000 Administrator Staff Member

    43,042
    9,772
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,087
    Local Time:
    2:41 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    .07 stable only gets bug fix updates now. Newer features such as this go into .08 beta+ for now :)
     
  12. Andy

    Andy Active Member

    456
    73
    28
    Aug 6, 2014
    Ratings:
    +101
    Local Time:
    11:41 PM
    I just order rapidssl and they only emailed me the server cert as well as intermediate.crt
    I saw that you need the root.pem to generate trusted.crt, where did you get that root.pem?
     
  13. eva2000

    eva2000 Administrator Staff Member

    43,042
    9,772
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,087
    Local Time:
    2:41 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Google led me to RapidSSL - Knowledge Center - SSL Certificates Support - but asking RapidSSL support probably better
     
  14. Andy

    Andy Active Member

    456
    73
    28
    Aug 6, 2014
    Ratings:
    +101
    Local Time:
    11:41 PM
    Got the cert installed correctly according to
    RapidSSL - Knowledge Center - SSL Certificates Support
    and SSLLabs give me a A+ score but OSCP is not working
    Qualys SSL Labs - Projects / SSL Server Test / quantnet.com

    I basically followed your guide on ssl
    Code:
    server {
            listen 443 ssl spdy;
             server_name quantnet.com;
    
            ssl_certificate      /usr/local/nginx/conf/ssl/quantnet.com/ssl-unified.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/quantnet.com/ssl.key;
    
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache      shared:SSL:10m;
            ssl_session_timeout  10m;
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GC$
            ssl_prefer_server_ciphers   on;
            add_header Alternate-Protocol  443:npn-spdy/3;
            add_header Strict-Transport-Security "max-age=31536000;";
    
            resolver 8.8.8.8;
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_trusted_certificate /usr/local/nginx/conf/ssl/quantnet.com/ssl-trusted.crt;
    The ssl-trusted.crt is the part I'm not sure.

    Here is the ssl instruction for nginx RapidSSL - Knowledge Center - SSL Certificates Support

    What missing from this and your instruction to create trusted.crt is the root.pem. Is this something called differently with rapidssl?
     
  15. Andy

    Andy Active Member

    456
    73
    28
    Aug 6, 2014
    Ratings:
    +101
    Local Time:
    11:41 PM
    Solved.
    According to this thread nginx - OCSP validation - unable to get local issuer certificate - Server Fault

    I need to get the GeoTrust_Global_CA.crt and rapidsslG3.crt

    I got the GeoTrust directly from geotrust website. The rapidsslg3 is the intermediate cert that included in the email.

    Then we can just do cat Intermediate.crt GeoTrust_Global_CA.crt > ssl-trusted.crt

    Now, OSCD is working
     
    • Like Like x 1
  16. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    12:41 PM
    Mainline
    10.2
  17. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    12:41 PM
    Mainline
    10.2
  18. eva2000

    eva2000 Administrator Staff Member

    43,042
    9,772
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,087
    Local Time:
    2:41 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Last edited: May 17, 2015
    • Like Like x 1
  19. rdan

    rdan Well-Known Member

    4,856
    1,160
    113
    May 25, 2014
    Ratings:
    +1,740
    Local Time:
    12:41 PM
    Mainline
    10.2
  20. eva2000

    eva2000 Administrator Staff Member

    43,042
    9,772
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,087
    Local Time:
    2:41 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x