5

I'm trying to configure my webserver for perfect forward secrecy.

I'm using

ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+ECDSA+AESCBC:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+AESCBC:EECDH+aRSA+RC4:EDH+aRSA:EECDH:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

the problem is that, at least on mac os 10.9, all major browsers (chrome, firefox, safari, all up to date) will use RC4 as the cipher (TLS_ECDHE_RSA_WITH_RC4_128_SHA)

Disabling RC4 on the server will result in an ssl error on the client.

what I'm doing wrong, and is it reasonable to have pfs with a not-to-secure cypher?

edit: now I'm using

ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;

It works with chrome and safari, but firefox 25 fails to establish a connection

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
user193565
  • 53
  • 4

1 Answers1

4

If you connect to this site with your Web browser, it will show you what protocol versions and cipher suites are supported by that browser. Notably, Firefox does not seem to support (yet) TLS 1.1 and 1.2, so this prevents it from using any cipher suite ending in "_SHA256" because these are for TLS-1.2 only.

If your server is accessible from the Internet, SSL Labs also offers a test page for servers that can tell you what your server is indeed advertising. Alternatively, if your server is private in some way, you may try to use this tool, which won't tell you as much but can work on private networks (the C#/.NET version has less bugs than the Java version).

Perfect Forward Secrecy relates to the protection of the confidentiality of the data against ulterior theft of the server's private key. This kind of risk is all-or-nothing: either the key is stolen (and every non-PFS past connection is revealed, if it was recorded of course), or not. With RC4, issues are more of a statistical nature; the known problems of RC4 are small biases which, usually, don't reveal much. Both risks are not exactly of the same kind, so you cannot really compare one with the other except in a very general view where, for instance, you try to estimate the average costs induced by breaches. But "average" does not apply well to a single Web site...

Personally, I'd go for PFS, even if it implies using RC4.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949