Enabling HTTP/2 and CHACHA20_POLY1305 on Nginx

Enabling HTTP/2 and CHACHA20_POLY1305 on Nginx

HTTP/2

HTTP/2 (originally named HTTP/2.0) is the second major version of the HTTP network protocol used by the World Wide Web. It is based on SPDY. HTTP/2 was developed by the Hypertext Transfer Protocol working group (httpbis, where bis means "repeat" or "twice") of the Internet Engineering Task Force. HTTP/2 is the first new version of HTTP since HTTP 1.1, which was standardized in RFC 2068 in 1997. The Working Group presented HTTP/2 to IESG for consideration as a Proposed Standard in December 2014, and IESG approved it to publish as Proposed Standard on February 17, 2015. The HTTP/2 specification was published as RFC 7540 in May 2015.

CHACHA20_POLY1305

Existing TLS [RFC5246] cipher suites either suffer from cryptographic weaknesses (RC4), major implementation pitfalls (CBC mode ciphers) or are difficult to effectively implement in software (AES-GCM). In order to improve the state of software TLS implementations, this memo specifies cipher suites that can be fast and secure when implemented in software without sacrificing key agility.

ChaCha20 [chacha] is a stream cipher developed by D. J. Bernstein.It is a refinement of Salsa20 and was used as the core of the SHA-3finalist, BLAKE.

ChaCha20 maps 16, 32-bit input words to 64 output bytes. Byconvention, 8 of the input words consist of a 256-bit key, 4 areconstants and the remaining four are a block counter. The outputbytes are XORed with the plaintext to produce ciphertext.

See more at ChaCha20 and Poly1305 based Cipher Suites for TLS draft-agl-tls-chacha20poly1305-01

As of version 1.9.5, nginx supports full http/2 spec. So with a few minutes of learning the config (it really is easy), you can not only use the latest it web standards, its EXTREMELY performant.

The install process is very simple with only one minor gotcha.

First off, add the apt keys:

$ wget http://nginx.org/packages/keys/nginx_signing.key
$ cat nginx_signing.key | sudo apt-key add -

Next add the following lines to /etc/apt/sources.list if you're on Ubuntu:

deb http://nginx.org/packages/mainline/ubuntu/ wily nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ wily nginx

Update source cache and install Nginx

$ sudo apt-get update
$ sudo apt-get purge nginx nginx-core nginx-common
$ sudo apt-get install nginx

Configuration

server {
    listen 443 ssl http2;
    server_name example.com;
    // ...

Enable CHACHA20_POLY1305 Encryption

ssl_prefer_server_ciphers   on;
ssl_ciphers                 ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:HIGH:MEDIUM:!MD5:!aNULL:!EDH:!RC4:!DSS;

See more Enabling SPDY and HSTS on Nginx

Enabling HTTP/2 and CHACHA20_POLY1305 on Nginx
82 votes, 4.52 avg. rating (90% score)