[
https://issues.apache.org/jira/browse/TS-2392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leif Hedstrom resolved TS-2392.
-------------------------------
Resolution: Duplicate
I think this is a dupe of TS-2372, if it's not, please reopen this bug.
> Enable elliptic curve ciphers to support forward secrecy
> --------------------------------------------------------
>
> Key: TS-2392
> URL: https://issues.apache.org/jira/browse/TS-2392
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: Jan-Frode Myklebust
>
> ATS does not seem to support the elliptic curve diffie hellman ephemeral key
> exchanges (ECDH) that are available in openssl. It seems these needs to be
> enabled explicitly to take advantage of them. Ref: the following commit for
> how this support was added to apache httpd v2.3.3:
> http://mail-archives.apache.org/mod_mbox/httpd-cvs/200911.mbox/%[email protected]%3E
> and for stud:
> https://github.com/bumptech/stud/pull/61/files
> Maybe both a DH key exchange needs to be set up, and then the various
> elliptic curves needs to be initialized..?
> Checking the openssl docs, I see SSL_CTX_set_tmp_dh_callback() needs to be
> called to set up the ephemeral keys:
> http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html
> https://tech.immerda.ch/2011/11/the-state-of-forward-secrecy-in-openssl/
--
This message was sent by Atlassian JIRA
(v6.1#6144)
