You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2013/11/25 00:12:35 UTC

[jira] [Updated] (TS-2392) Enable elliptic curve ciphers to support forward secrecy

     [ https://issues.apache.org/jira/browse/TS-2392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom updated TS-2392:
------------------------------

    Component/s:     (was: Core)
                 SSL

> Enable elliptic curve ciphers to support forward secrecy
> --------------------------------------------------------
>
>                 Key: TS-2392
>                 URL: https://issues.apache.org/jira/browse/TS-2392
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: SSL
>            Reporter: Jan-Frode Myklebust
>
> ATS does not seem to support the elliptic curve diffie hellman ephemeral key exchanges (ECDH)  that are available in openssl. It seems these needs to be enabled explicitly to take advantage of them. Ref: the following commit for how this support was added to apache httpd v2.3.3:
> http://mail-archives.apache.org/mod_mbox/httpd-cvs/200911.mbox/%3C20091110075514.166A6238890A@eris.apache.org%3E
> and for stud:
> https://github.com/bumptech/stud/pull/61/files
> Maybe both a DH key exchange needs to be set up, and then the various elliptic curves needs to be initialized..?
> Checking the openssl docs, I see SSL_CTX_set_tmp_dh_callback() needs to be called to set up the ephemeral keys:
>   http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html
> https://tech.immerda.ch/2011/11/the-state-of-forward-secrecy-in-openssl/



--
This message was sent by Atlassian JIRA
(v6.1#6144)