[
https://issues.apache.org/jira/browse/TS-3711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14601065#comment-14601065
]
Susan Hinrichs commented on TS-3711:
------------------------------------
For this issue, I'm going to reenable the use of the fixed 2048 bit DH param if
no file is specified. This will enable the negotiation of the DHE- cipher is
present in the ciphersuites list.
For older clients (like java 7 clients), the DHE- negotiation will fail because
they cannot handle DH params greater than 1024 bits.
This is not an ideal solution because very ATS server by default will be using
the dh param. TS-3624 outlines a superior solution that creates a new DH param
on every deployment after a fixed interval. But this is a lower implementation
risk, so we do this first.
> Allow DHE ciphers in the ciphersuite list to be negotiable
> ----------------------------------------------------------
>
> Key: TS-3711
> URL: https://issues.apache.org/jira/browse/TS-3711
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Susan Hinrichs
> Assignee: Susan Hinrichs
> Fix For: 6.0.0
>
>
> As it stands, adding a DHE- cipher to the cipher suite list is not sufficient
> to allow a DHE protocol to be negotiated. One must also add a dhparams file.
>
> We should re-introduce the logic to automatically create DHParams if none is
> specified. We currently have logic in the that could create a fixed 2048 bit
> DHParams, but it is not currently enabled. The disabling was tracked in
> TS-3437.
> Now that we are at a major release, we should reactivate this logic, since it
> seems odd and not user-friendly to have a two step process for activating
> DHE- ciphers (unlike any other cipher family).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
