Am 26.08.2013 16:24, schrieb Chuck Anderson: > On Mon, Aug 26, 2013 at 11:17:52AM +0200, Reindl Harald wrote: >> cause and effect >> because Fedora does *not* support Ciphers without large performance impacts >> >> in reality without ECDHE you have no way >> go to https://www.ssllabs.com/ssltest/ and look at the client-handshakes >> practically no client is using PFS without ECDHE >> >> that's the truth if it comes to PFS and Redhat/Fedora >> http://www.internetstaff.com/roller/blog/entry/enable_elliptical_curve_diffie_hellman > > Not Found > > The requested URL /roller/blog/entry/enable_elliptical_curve_diffie_hellman was not found on this server. > >> http://www.theverge.com/2013/6/26/4468050/facebook-follows-google-with-tough-encryption-standard and how can i quote from the URL? http://www.internetstaff.com/roller/blog/entry/enable_elliptical_curve_diffie_hellman « OpenSwan VPN between... | Main 20130721 Sunday July 21, 2013 Enable Elliptical Curve Diffie-Hellman (ECDHE) in Fedora or Amazon Linux With all the recent publicity regarding Internet spying, there has been a renewed interest in security and encryption. One oft-neglected feature of SSL is the ability to use a cipher with Diffie-Hellman key exchange that enables so-called perfect forward secrecy. The advantage of PFS is that even if your private key is compromised, recorded past traffic cannot be decrypted. The problem is that Diffie-Hellman algorithms are very slow. This can be offset to a large degree by using Elliptical Curve Diffie-Hellman (ECDHE). The problem for Red Hat / CentOS / Fedora users is that Red Hat intentionally disables ECDHE ciphers (among others) because they're unsure of the patent issues surrounding them. Fixing this requires a custom compilation of OpenSSL. Luckily, it is readily accomplished using the Fedora source RPM and does not require rolling your own binaries from scratch. In addition, you must recompile applications such as Apache's mod_ssl after installing the new OpenSSL packages. Here's how we enable ECDHE ciphers in Apache on a Fedora or Amazon Linux server: Download and install the openssl and httpd source RPMs. Download the official openssl-1.0.1e.tar.gz source package into /root/rpmbuild/SOURCES. Apply the patch below to /root/rpmbuild/SPECS/openssl.spec rpmbuild -bb openssl.spec Install the openssl-libs, and openssl-devel RPMs in /root/rpmbuild/RPMS/arch rpmbuild -bb httpd.spec Install the mod_ssl RPM in /root/rpmbuild/RPMS/arch Edit your Apache config to prefer ECDHE ciphers Restart Apache Test your Apache installation with Qualys' SSL Labs to verify your settings
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
