Feature Request: nginx, security hardening of ssl_ecdh_curve

[patschi]

Requested change
For security purposes I'd suggest removing following hardcoded option in nginx configurations:

ssl_ecdh_curve secp384r1;

Reason
There are rumors that NSA was involved when secp curves were defined and has a hidden backdoor-thing, that's why currently X25519 (also due to performance benefit) is getting more and more widely used. By using the auto setting above the X25519 will be preferred automatically on actual OpenSSL releases.

Since nginx v1.11.0 (~May 2016) the new default value of ssl_ecdh_curve is auto which automatically uses the order as provided by OpenSSL. That way the best order of curves will be used as defined in OpenSSL without overwriting any specific settings which might get outdated over time.

Some more ressources to read on:

• http://fooolix.blogspot.com/2018/02/chasing-x25519.html
• Is there any benefit in including the P-384 curve in the Modern suite? mozilla/server-side-tls#190 (comment)
• https://blog.cloudflare.com/make-ssl-boring-again/
• https://support.cloudflare.com/hc/en-us/articles/200933580-What-cipher-suites-does-Cloudflare-support-for-SSL-TLS-

Change recommendation
To also have backwards compatibilty, I'd suggest following:

• An option to be able to set ssl_ecdh_curve on Settings - Webserver Settings (for advanced users which are not happy with default configuration)
• Adding a warning that auto value is >= 1.11.0 to above mentioned option
• For existing and new installations I'd recommend leaving the option empty to remove the nginx setting completely. This works for all nginx versions. This behaves this way:
  • When <1.11.0: Defaults to prime256v1, similar to first curve recommendation by Mozilla. (When specifyng just one, there's no fallback when specific curve is not supported by client.)
  • When >1.11.0: Defaults to auto, using recommended curves provided by OpenSSL.

When using nginx >= 1.11.0 and current OpenSSL 1.1.1 this results in following server-preferred order: x25519, secp256r1, x448, secp521r1, secp384r1, which are the recommended and most-secure curves as of now. So quite similar to what Cloudflare actually uses for all their hosted sites.

[d00p]

current debian stable for example is 1.10.3. And if i understand you correctly the auto option was introduced in 1.11.0 - we might need to parse the nginx version (if possible) in php or (maybe better) in the nginx vhost conf itself when set to auto and version <1.11.0 then leave empty else use auto? would that make sense?

[patschi]

That was also an idea I thought of, but simply removing the configuration setting might have two advantages:

• It is easier to manage for existing and new installations. So no need to parse the nginx version.
• If the config option is simply not provided for <1.11.0, nginx will use secp256r1 which is the first suggested cipher by Mozilla anyway (see "Modern compatibility"). So this might be also an acceptable option IMHO.