0

for the last two days I played around a bit with nginx's SSL configuration.
A question came up:

I created asymmetric key using
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout nginx.key -out nginx.crt
nginx config:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';

Chrome now says: [..] Connection encrypted with AES_256_CBC [..]
So what does the rsa:4096 in the openssl req command refer to?

I've already read some tutorials about SSL/TLS, but none of them answered my question.

My chain of thought: rsa:4096 specifies the strength of the initial handshake, where client and server exchange the symmetric key (in the case above: AES 256bit encryption, cbc mode) to encrypt data.
Is this correct?
If so, then this means that the raw-encrypted data itself can't be decrypted by someone who only has the certificate's private key, right? He needs the symmetric key for that.

I have to admit (if you haven't already noticed :D) that I'm a SSL newb.
Can you recommend a good-read which explains everything (certificates etc.)?

Ben Richard
  • 3,136
  • 5
  • 17
  • 18
  • 1
    RSA 4096 (bits) is the strength of asymmetric key you're using for the public key exchange. I would suggest reading [How does SSl/TLS work?](http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work) – RoraΖ Nov 17 '14 at 14:35
  • Adding some clarification for you. Yes, check the main How does SSL/TLS work, but the AES identifies the actual symmetric key used, but that is established by a key exchange which occurs using the certificate. The certificate is what you were making in openssl. – AJ Henderson Nov 17 '14 at 19:15

0 Answers0