Things learned while using Perfect Forward Secrecy
Recently I upgraded some on my servers to use PFS. For those not familiar with PFS please read https://en.wikipedia.org/wiki/Forward_secrecy. Now I must admit, I have a strange setup of servers. I have a set of servers for each client and each performs a different function. One is an app server that can be accessed by client.company.com. These servers run nginx. I Also have a Nagios and Backuppc server that are accessed by nagios.custom.company.com. I purchased a wildcard SSL certificate for *.company.com. Before you say anything, I realize that using multilevel subdomains is not complaint with wildcard certs (see RFC 2818 and RFC 2459). Nagios is ONLY for me, not the customer, so I don’t care about the SSL warnings. To help illustrate:
customer.company.com -> nginx
nagios.customer.company.com -> Apache
Unfortunately, I’m pretty locked down on what OS I can run, and currently it is Ubuntu 12.04 (Yes, 14.04 is out, but it has too many issues and our software don’t run stable under it). Which means I have nginx 1.6 and Apache 2.2. Nginx 1.6 supports PFS, which I implemented without an issue, while Apache 2.2 does… but doesn’t. It appears to be some hack job by Ubuntu (Version 2.2.22 doesn’t have PFS, but 2.2.27 appears to have it. As we know, Ubuntu will back-port patches, and it looks like a patch got in to give semi-support to PFS, I decided not to use it).
Here is the interesting thing. With this setup, whether I setup PFS on Apache or not, I got the same results. The instant I setup PFS on nginx, I could no longer use the Nagios server on the Apache machine. In Firefox I would get an SSL error that I couldn’t bypass. No matter what, it wouldn’t work, even with other browsers.
So, I did a test. What would happen if I followed the rules of using wildcard SSL certs? So I changed the Nagios server to work under nagios-custom.company.com, and guess what? It actually worked!
I have no idea how this is. It seems that the browser is remembering something about the certificate, because it is the same one used on all servers. I tested this by having a machine connect just to the nagios server (before the URL change), and it worked until I accessed the app server with the same browser.
I’m now following the rules on wildcard SSL certs, and my naming is as follows
customer.company.com -> nginx
nagios-customer.company.com -> Apache
Now everything works, even though I’m not using PFS on the Apache servers.
If you want to setup PFS, check out this page, https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy, as it has great information. Be sure to use https://www.ssllabs.com/ssltest/ to test your server.
Lastly, I put this up in the hopes that is anyone else runs into this issue it will provide some insight to resolving the issue. If you have any additional information, please leave a note in the comments below (You don’t even have to give a real email, if you do, I won’t spam you or anything).