[
https://issues.apache.org/jira/browse/TS-2392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13831089#comment-13831089
]
Jan-Frode Myklebust commented on TS-2392:
-----------------------------------------
Ooops, sorry, I tried searching for relevant tickets before filing this one,
but missed TS-2372. So, yes, agree.. dupe.
> Enable elliptic curve ciphers to support forward secrecy
> --------------------------------------------------------
>
> Key: TS-2392
> URL: https://issues.apache.org/jira/browse/TS-2392
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: Jan-Frode Myklebust
>
> ATS does not seem to support the elliptic curve diffie hellman ephemeral key
> exchanges (ECDH) that are available in openssl. It seems these needs to be
> enabled explicitly to take advantage of them. Ref: the following commit for
> how this support was added to apache httpd v2.3.3:
> http://mail-archives.apache.org/mod_mbox/httpd-cvs/200911.mbox/%[email protected]%3E
> and for stud:
> https://github.com/bumptech/stud/pull/61/files
> Maybe both a DH key exchange needs to be set up, and then the various
> elliptic curves needs to be initialized..?
> Checking the openssl docs, I see SSL_CTX_set_tmp_dh_callback() needs to be
> called to set up the ephemeral keys:
> http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html
> https://tech.immerda.ch/2011/11/the-state-of-forward-secrecy-in-openssl/
> http://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman
> And these are the named curves available with openssl-1.0.1e-16.el6_5.x86_64
> on RHEL-6.5:
> {noformat}
> $ openssl ecparam -list_curves
> secp384r1 : NIST/SECG curve over a 384 bit prime field
> prime256v1: X9.62/SECG curve over a 256 bit prime field
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
