> On Apr 5, 2015, at 9:10 AM, Reindl Harald <[email protected]> wrote: > > > > Am 01.04.2015 um 20:11 schrieb Susan Hinrichs: >> On 4/1/2015 11:56 AM, Reindl Harald wrote: >>> >>> >>> Am 01.04.2015 um 15:30 schrieb Leif Hedstrom: >>>> It was decided from experiences at LinkedIn that DHE was unstable >>>> and/or causing problems in general. It was deemed an incompatible >>>> change that should not have happened in the 5.x cycle, so we restored >>>> defaults to a state as it was in 5.1. I'll let Thomas and Brian give >>>> more details on the issues with DHE. >>>> >>>> You can still use DHE but you would have to move the params into a >>>> file and explicitly tell ATS to use those params. >>> >>> but in which file and how to configure - the docs don't mention it? >>> >>> IMHO the certs file containing the DHE as well as EC params should be >>> enough >> >> You can define a dhparams file in records.config >> >> proxy.config.ssl.server.dhparams_file >> >> The 5.2.0 version would use a 2048 bit prime group defined in RFC 5114 >> if no dhparams file is defined. >> >> For 5.2.1, it was changed so no default prime group is used. You must >> specify your prime group in a file > > thanks, that does the trick and MSIE11 is using AES-GCM now > that information *really* belongs to the TLS manpages not just recods.config > > > IE 11 / Win 7 R TLS 1.2 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) FS > > IE 11 / Win 8.1 R TLS 1.2 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) FS
Reindl, I think you know more about this than most of us, if you have the cycles to update the docs, that’d be great :) I’ll commit any github pull requests for the docs that you can muster up. Cheers, — Leif
