I recently read some things about forward secrecy and found that interesting enough to check my webserver installation. SSLLabs has a nice site where you can check your webserver regarding security features/issues with https connections. I got an F grade on my first test and decided I can do better... After reading more stuff (and some more on OpenSSL) I found out, that I probably just needed to upgrade my OpenSSL installation. Since I'm stuck with my old OpenSuse 11.1/Apache 2.2 environment and could not find any usable RPMs I needed to compile myself. I'll give a shot description about the necessary steps in an OpenSuse server environment.
Here's how it goes:
> cd /usr/src > wget https://www.openssl.org/source/openssl-1.0.1e.tar.gz > tar -xvzf openssl-1.0.1e.tar.gz > cd openssl-1.0.1e/ > ./config no-threads shared --prefix=/usr > make depend > make > make test > make install
If you get any errors during the "make depend" step telling something about gcc missing, use yast2 to install gcc and dependencies.
When its finished (compiling and testing takes several minutes), check the correct installation with
> openssl version OpenSSL 1.0.1e 11 Feb 2013
Now let's update the OpenSSH server (sshd) as well. It uses the latest OpenSSL libs we have just created. You may also need the "zlib-devel" and "tcpd-devel" package. Use yast2 to install these before you begin. With tcp-wrappers support you can use DenyHosts with your OpenSSH server to prevent brute force attacks.
> cd /usr/src > wget http://ftp.spline.de/pub/OpenBSD/OpenSSH/portable/openssh-6.2p2.tar.gz > tar xzvf openssh-6.2p2.tar.gz > cd openssh-6.2p2/ > ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-tcp-wrappers > make
I recommend you rename your /etc/ssh directory to something else an let the new ssh version create a new one with all new settings an keys. You can modify the new config file afterwards.
> mv /etc/ssh /etc/ssh.old > make install
You can check the current version with
> sshd -? OpenSSH_6.2p2, OpenSSL 1.0.1e 11 Feb 2013 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]