On 4/1/2015 11:56 AM, Reindl Harald wrote:
Am 01.04.2015 um 15:30 schrieb Leif Hedstrom:
It was decided from experiences at LinkedIn that DHE was unstable
and/or causing problems in general. It was deemed an incompatible
change that should not have happened in the 5.x cycle, so we restored
defaults to a state as it was in 5.1. I'll let Thomas and Brian give
more details on the issues with DHE.
You can still use DHE but you would have to move the params into a
file and explicitly tell ATS to use those params.
but in which file and how to configure - the docs don't mention it?
IMHO the certs file containing the DHE as well as EC params should be
enough
You can define a dhparams file in records.config
proxy.config.ssl.server.dhparams_file
The 5.2.0 version would use a 2048 bit prime group defined in RFC 5114 if no
dhparams file is defined.
For 5.2.1, it was changed so no default prime group is used. You must specify
your prime group in a file.
On Apr 1, 2015, at 4:04 AM, Reindl Harald <[email protected]>
wrote:
Hi
why are DHE ciphers no longer available after update to 5.2.1?
the crtificate files are PEM with
* intermediate CA
* private key
* certificate
* ec params
* dh params
in a single file which is supported for a long time by httpd and
worked with the previous ATS release too (which introduced DHE at all)
