Am 01.04.2015 um 20:11 schrieb Susan Hinrichs:
On 4/1/2015 11:56 AM, Reindl Harald wrote:Am 01.04.2015 um 15:30 schrieb Leif Hedstrom:It was decided from experiences at LinkedIn that DHE was unstable and/or causing problems in general. It was deemed an incompatible change that should not have happened in the 5.x cycle, so we restored defaults to a state as it was in 5.1. I'll let Thomas and Brian give more details on the issues with DHE. You can still use DHE but you would have to move the params into a file and explicitly tell ATS to use those params.but in which file and how to configure - the docs don't mention it? IMHO the certs file containing the DHE as well as EC params should be enoughYou can define a dhparams file in records.config proxy.config.ssl.server.dhparams_file The 5.2.0 version would use a 2048 bit prime group defined in RFC 5114 if no dhparams file is defined. For 5.2.1, it was changed so no default prime group is used. You must specify your prime group in a file
thanks, that does the trick and MSIE11 is using AES-GCM now that information *really* belongs to the TLS manpages not just recods.config IE 11 / Win 7 R TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) FSIE 11 / Win 8.1 R TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) FS
signature.asc
Description: OpenPGP digital signature
