SlideShare uma empresa Scribd logo

Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL

Richard Fussenegger
Richard Fussenegger

The slides I used during the presentation.

TecnologiaEducação
1 de 10
Baixar para ler offline
(Perfect) Forward Secrecy with nginx and OpenSSL by Richard Fussenegger, BSc
Rules • Ask—if you have a question • Ask—if you don’t understand something • Ask—if you want to know more • Shout—if I get something wrong
nginx why use it? • I use it since approximately 2008 • Asynchronous event-driven • Multiple workers (fork) • Modular architecture • Used by e.g. WordPress, GitHub, Golem.de
OpenSSL why use it? • Supported by all major (*nix) software • Can be compiled directly into nginx • Lot’s of ciphers supported • Almost a standard today
Forward Secrecy “…allows today information to be kept secret even if the private key is compromised in the future.” Vincent Bernat, PhD
TLS AES128-SHA how does it work? • Server presents certificate • Both agree on master secret • Built from 48byte premaster secret gen. and encrypted by client w. public key of server • Master secret derived from premaster secret + random values via plain text • Authentication and encryption w. same private key! Vincent Bernat http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
Solution Ephemeral Diffie-Hellman • Use different key for authentication and encryption • Extending classic TLS handshake Server sends a Server Key Exchange message after regular Certificate message
How To very easy with nginx https://github.com/MovLib/www/blob/master/conf/nginx/conf/ssl.conf
Validate do things work? • Localhost: openssl s_client -tls1 -cipher ECDH -connect 127.0.0.1:443 • Online: https://www.ssllabs.com/ssltest/analyze.html
Thank you • More in my master thesis • Questions about nginx, PHP, Debian/Ubuntu? richard@fussenegger.info

Recomendados

Matriux blue
Matriux blueMatriux blue
Matriux blue
InMobi Technology
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web Coding
Xavier Mertens
 
Hacking Exposé - Using SSL to Secure SQL Server Connections
Hacking Exposé - Using SSL to Secure SQL Server ConnectionsHacking Exposé - Using SSL to Secure SQL Server Connections
Hacking Exposé - Using SSL to Secure SQL Server Connections
Chris Bell
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
Skeeve Stevens
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwords
inaz2
 
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsZero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Dane Schneider
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 

Recomendados

Matriux blue
Matriux blueMatriux blue
Matriux blue
InMobi Technology
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web Coding
Xavier Mertens
 
Hacking Exposé - Using SSL to Secure SQL Server Connections
Hacking Exposé - Using SSL to Secure SQL Server ConnectionsHacking Exposé - Using SSL to Secure SQL Server Connections
Hacking Exposé - Using SSL to Secure SQL Server Connections
Chris Bell
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
Skeeve Stevens
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwords
inaz2
 
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsZero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Dane Schneider
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
UTD Computer Security Group
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
Xavier Mertens
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
Cysinfo Cyber Security Community
 
Mod Security
Mod SecurityMod Security
Mod Security
Abhishek Singh
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
DefCamp
 
5 Hidden Performance Problems for ASP.NET
5 Hidden Performance Problems for ASP.NET5 Hidden Performance Problems for ASP.NET
5 Hidden Performance Problems for ASP.NET
Matt Watson
 
Lecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of ThingsLecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of Things
Alexandru Radovici
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppMRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
NGINX, Inc.
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1t
Amit Serper
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
Lecture 5 - Webservers for the Internet of Things
Lecture 5 - Webservers for the Internet of ThingsLecture 5 - Webservers for the Internet of Things
Lecture 5 - Webservers for the Internet of Things
Alexandru Radovici
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
Romansh Yadav
 
Vault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureVault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructure
OpenCredo
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Emily Stark
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
Michael Boelen
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016
antitree
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talk
Wallarm
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slides
Wallarm
 
Webinar - DreamObjects/Ceph Case Study
Webinar - DreamObjects/Ceph Case StudyWebinar - DreamObjects/Ceph Case Study
Webinar - DreamObjects/Ceph Case Study
Ceph Community
 
Web security
Web securityWeb security
Web security
Greater Noida Institute Of Technology
 

Mais conteúdo relacionado

Mais procurados

DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
DefCamp
 
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppMRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
NGINX, Inc.
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Emily Stark
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talk
Wallarm
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slides
Wallarm
 

Mais procurados (20)

Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
 
Mod Security
Mod SecurityMod Security
Mod Security
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
 
5 Hidden Performance Problems for ASP.NET
5 Hidden Performance Problems for ASP.NET5 Hidden Performance Problems for ASP.NET
5 Hidden Performance Problems for ASP.NET
 
Lecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of ThingsLecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of Things
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppMRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
 
The internet of $h1t
The internet of $h1tThe internet of $h1t
The internet of $h1t
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Lecture 5 - Webservers for the Internet of Things
Lecture 5 - Webservers for the Internet of ThingsLecture 5 - Webservers for the Internet of Things
Lecture 5 - Webservers for the Internet of Things
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Vault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructureVault: Beyond secret storage - Using Vault to harden your infrastructure
Vault: Beyond secret storage - Using Vault to harden your infrastructure
 
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talk
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slides
 

Semelhante a Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL

From Test to Live with Rex
From Test to Live with RexFrom Test to Live with Rex
From Test to Live with Rex
Jan Gehring
 
IP Protocol Security
IP Protocol SecurityIP Protocol Security
IP Protocol Security
David Barker
 
Sqlviking
SqlvikingSqlviking
Sqlviking
Jonn Callahan
 
scrazzl - A technical overview
scrazzl - A technical overviewscrazzl - A technical overview
scrazzl - A technical overview
scrazzl
 
Netflix oss season 2 episode 1 - meetup Lightning talks
Netflix oss season 2 episode 1 - meetup Lightning talksNetflix oss season 2 episode 1 - meetup Lightning talks
Netflix oss season 2 episode 1 - meetup Lightning talks
Ruslan Meshenberg
 

Semelhante a Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL (20)

Webinar - DreamObjects/Ceph Case Study
Webinar - DreamObjects/Ceph Case StudyWebinar - DreamObjects/Ceph Case Study
Webinar - DreamObjects/Ceph Case Study
 
Web security
Web securityWeb security
Web security
 
Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
From Test to Live with Rex
From Test to Live with RexFrom Test to Live with Rex
From Test to Live with Rex
 
Infura
InfuraInfura
Infura
 
Open Source Cyber Weaponry
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber Weaponry
 
Sanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticiansSanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticians
 
Flexible compute
Flexible computeFlexible compute
Flexible compute
 
IP Protocol Security
IP Protocol SecurityIP Protocol Security
IP Protocol Security
 
Sqlviking
SqlvikingSqlviking
Sqlviking
 
Vp ns
Vp nsVp ns
Vp ns
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
scrazzl - A technical overview
scrazzl - A technical overviewscrazzl - A technical overview
scrazzl - A technical overview
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
 
OPEN'17_2_Customer Experience_Essent
OPEN'17_2_Customer Experience_EssentOPEN'17_2_Customer Experience_Essent
OPEN'17_2_Customer Experience_Essent
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013
 
Kubernetes for HCL Connections Component Pack - Build or Buy?
Kubernetes for HCL Connections Component Pack - Build or Buy?Kubernetes for HCL Connections Component Pack - Build or Buy?
Kubernetes for HCL Connections Component Pack - Build or Buy?
 
Netflix oss season 2 episode 1 - meetup Lightning talks
Netflix oss season 2 episode 1 - meetup Lightning talksNetflix oss season 2 episode 1 - meetup Lightning talks
Netflix oss season 2 episode 1 - meetup Lightning talks
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL

  • 1. (Perfect) Forward Secrecy with nginx and OpenSSL by Richard Fussenegger, BSc
  • 2. Rules • Ask—if you have a question • Ask—if you don’t understand something • Ask—if you want to know more • Shout—if I get something wrong
  • 3. nginx why use it? • I use it since approximately 2008 • Asynchronous event-driven • Multiple workers (fork) • Modular architecture • Used by e.g. WordPress, GitHub, Golem.de
  • 4. OpenSSL why use it? • Supported by all major (*nix) software • Can be compiled directly into nginx • Lot’s of ciphers supported • Almost a standard today
  • 5. Forward Secrecy “…allows today information to be kept secret even if the private key is compromised in the future.” Vincent Bernat, PhD
  • 6. TLS AES128-SHA how does it work? • Server presents certificate • Both agree on master secret • Built from 48byte premaster secret gen. and encrypted by client w. public key of server • Master secret derived from premaster secret + random values via plain text • Authentication and encryption w. same private key! Vincent Bernat http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
  • 7. Solution Ephemeral Diffie-Hellman • Use different key for authentication and encryption • Extending classic TLS handshake Server sends a Server Key Exchange message after regular Certificate message
  • 8. How To very easy with nginx https://github.com/MovLib/www/blob/master/conf/nginx/conf/ssl.conf
  • 9. Validate do things work? • Localhost: openssl s_client -tls1 -cipher ECDH -connect 127.0.0.1:443 • Online: https://www.ssllabs.com/ssltest/analyze.html
  • 10. Thank you • More in my master thesis • Questions about nginx, PHP, Debian/Ubuntu? richard@fussenegger.info