Can someone point me in using the correct OpenSSL commands to use a certain cipher suite. For example DHE-RSA-AES256-GCM-SHA384 (I am not using ECDH suite because of supposed NSA backdoor controversy/issues). As I will be using this on an internal network I would stick to TLSv1.2 (will be using Firefox 39.0 portable).
- key exchange = Diffie-Hellman Ephemeral
- authentication = RSA
- encryption = AESGCM(256)
- Message authentication code = AEAD
(what above parts come into play in the openssl commands to generate key and cert)
Create own Root CA key and cert:
- openssl genpkey -algorithm DH -out rootca.key ....
- openssl req -x509 -new -SHA512 -nodes -key rootca.key -days 1826 -out rootca.crt
Create CSR.
- openssl req -new -SHA512 -key server.key -nodes -out server.csr
Create FQDN key and cert with own Root CA. (created a DynDNS account to have it tested by Qualys SSL test)
- openssl x509 -req -SHA512 -days 1826 -in server.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -out server.crt
part of /etc/nginx/nginx.conf:
ssl_protocols TLSv1.2;
ssl_ciphers "DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
using:
- OpenSSL 1.0.1k
- Nginx 1.6.2
- Debian 8.1