[ 
https://issues.apache.org/jira/browse/TS-2392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Leif Hedstrom resolved TS-2392.
-------------------------------

    Resolution: Duplicate

I think this is a dupe of TS-2372, if it's not, please reopen this bug.

> Enable elliptic curve ciphers to support forward secrecy
> --------------------------------------------------------
>
>                 Key: TS-2392
>                 URL: https://issues.apache.org/jira/browse/TS-2392
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: SSL
>            Reporter: Jan-Frode Myklebust
>
> ATS does not seem to support the elliptic curve diffie hellman ephemeral key 
> exchanges (ECDH)  that are available in openssl. It seems these needs to be 
> enabled explicitly to take advantage of them. Ref: the following commit for 
> how this support was added to apache httpd v2.3.3:
> http://mail-archives.apache.org/mod_mbox/httpd-cvs/200911.mbox/%[email protected]%3E
> and for stud:
> https://github.com/bumptech/stud/pull/61/files
> Maybe both a DH key exchange needs to be set up, and then the various 
> elliptic curves needs to be initialized..?
> Checking the openssl docs, I see SSL_CTX_set_tmp_dh_callback() needs to be 
> called to set up the ephemeral keys:
>   http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html
> https://tech.immerda.ch/2011/11/the-state-of-forward-secrecy-in-openssl/



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to