Jump to content

Community Info: Dual Hybrid RSA and ECDSA certificates Nginx


Recommended Posts

Hello

According to Netcraft web server survey for April 2019 for first time since 1996, Nginx has surpassed Apache as the most used web server for web sites !

Most websites now use nginx!
Despite the overall loss of sites this month, nginx gained 22.3 million websites and 2.03 million additional active sites. nginx also gained the largest number of web-facing computers, increasing its total by 63,000 to 2.57 million (+2.52%). nginx's market share of web-facing computers is now nearly 30%, and this is continuing to grow steadily closer to Apache's leading share of 37.3%.

Microsoft and Apache lost shares in every headline metric this month, with both vendors contributing significantly to this month's overall loss of sites. Microsoft lost 18.9 million sites, while Apache lost 17.2 million, causing their shares to decrease by 1.01 and 0.87 percentage points.

These changes have pushed nginx into the lead, giving it a 27.5% share of all sites in Netcraft's April 2019 Web Server Survey. Significantly, this is the first time since 1996 that a vendor other than Microsoft or Apache has served the largest number of websites.

With Nginx 1.11.0 + you can use Dual Hybrid RSA and ECDSA certificates

Why?

Because it is faster !

Nginx version 1.11.0 + can serve both RSA and ECDSA certificates for maximum performance without having to drop support for older clients.

Quote

"Feature: the "ssl_certificate" and "ssl_certificate_key" directives can be specified multiple times to load certificates of different types (for example, RSA and ECDSA)."

Once you have built the new version, adding support for hybrid RSA and ECDSA certificates is easy!

You go from this:

ssl_certificate /path/to/rsa.crt;
ssl_certificate_key /path/to/rsa.key;


To this:

ssl_certificate /path/to/rsa.crt;
ssl_certificate_key /path/to/rsa.key;
ssl_certificate /path/to/ecdsa.crt;
ssl_certificate_key /path/to/ecdsa.key;

And then give priority to ECDSA certificates at:

ssl_ciphers

It will be better to compile NginX against OpenSSL 1.0.2 + in order for OCSP stapling to work properly.

Nginx will choose the appropriate key and certificate to use based on the capabilities the client advertises in the ClientHello so you can use the faster ECDSA certificate for capable clients and gracefully fall back to RSA for older clients.

So a user with a modern system using for example latest Chrome or latest Firefox will get the ECDSA certificate and a user with an old outdated Android system will get the slower RSA certificate.

I know that it is not a tutorial with copy paste commands to make it work to your server but it has the info to start looking around on how to add it on your system as every system is different and there is no one solution for all.

You can do a research and if you like you can try to install it or ask your server administrator to do it for you.

For my setup i am using Let's Encrypt Certbot for both RSA and ECDSA certificates and it is very easy to automate the renewal also using a simple cronjob.

Enjoy !

Thank you

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...