{"id":1364,"date":"2021-03-11T19:17:24","date_gmt":"2021-03-11T19:17:24","guid":{"rendered":"https:\/\/dft.wiki\/?p=1364"},"modified":"2021-03-16T13:16:58","modified_gmt":"2021-03-16T13:16:58","slug":"perfect-forward-secrecy-pfs-on-apache-and-nginx","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=1364","title":{"rendered":"Perfect Forward Secrecy (PFS) on Apache and NGINX"},"content":{"rendered":"

HTTPS uses SSL\/TLS to encrypt the traffic between server and client using Private and Public keys and also an external Certificate Authority (CA).<\/p>\n

Perfect Forward Secrecy (PFS) is an additional layer of protection that prevents the traffic to be decrypted even if the hacker has the server’s private key.<\/p>\n

For each webserver, look for the configuration files of the sites that are being hosted and add the following commands:<\/p>\n

Apache<\/strong><\/p>\n

SSLProtocol all -SSLv2 -SSLv3\r\nSSLHonorCipherOrder on\r\nSSLCipherSuite \"...\"<\/strong><\/pre>\n
    \n
  • GCM without RC4<\/strong> (too strict against old browsers)\n
      \n
    • “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4”<\/li>\n<\/ul>\n<\/li>\n
    • \u00a0GCM without RC4 as a last resort<\/strong> (recommended for now)\n
        \n
      • “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4”<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
        NGINX<\/strong><\/p>\n
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;\r\nssl_prefer_server_ciphers on;\r\nssl_ciphers \"...\";<\/strong><\/pre>\n
          \n
        • GCM without RC4<\/strong> (too strict against old browsers)\n
            \n
          • “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4”;<\/li>\n<\/ul>\n<\/li>\n
          • \u00a0GCM without RC4 as a last resort<\/strong> (recommended for now)\n
              \n
            • “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4”;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
              Note: where there is “…”<\/strong> it has to be replaced with one of the two options given in the sequence.<\/p>\n","protected":false},"excerpt":{"rendered":"
              HTTPS uses SSL\/TLS to encrypt the traffic between server and client using Private and Public […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-1364","post","type-post","status-publish","format-standard","hentry","category-web"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1364"}],"version-history":[{"count":4,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1364\/revisions"}],"predecessor-version":[{"id":1369,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1364\/revisions\/1369"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}