Bug 55915 - Add ECDHE support to tcnative-1.dll
Summary: Add ECDHE support to tcnative-1.dll
Status: CLOSED FIXED
Alias: None
Product: Tomcat Native
Classification: Unclassified
Component: Library (show other bugs)
Version: 1.1.29
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-20 12:44 UTC by Ognjen Blagojevic
Modified: 2014-05-21 09:42 UTC (History)
0 users


Attachments
Add ECDHE support to Tomcat Native. (848 bytes, patch)
2014-02-04 22:35 UTC, Mike Noordermeer 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ognjen Blagojevic 2013-12-20 12:44:32 UTC 
EECDH (Ephemeral elliptic-curve Diffie-Hellman) protocol is useful for enabling Forward Secrecy and for preventing certain attacks.

EECDH support exists in official OpenSSL since version 1.0.0. Note that RHEL / CentOS did not include EECDH due to patent concerns until recently [1], but that issue is now resolved, and EECDH is included since RHEL / CentOS version 6.5.

Tcnative Windows binary seems to lack support for EECDH, also. I don't know why, but I guess it is due to following RedHat decisions on EECDH support in OpenSSL for RHEL.

Since RedHat resolved aforementioned issue, and included EECDH support in OpenSSL RPMs, is it possible that developers/packagers of Tomcat native also add EECDH support to the Windows binary (tcnative-1.dll)?

-Ognjen

[1] https://bugzilla.redhat.com/show_bug.cgi?id=319901
Comment 1 Mike Noordermeer 2014-02-04 22:35:18 UTC 
Created attachment 31283 [details]
Add ECDHE support to Tomcat Native.

It's not just the Windows binary, the source is also missing the required call to SSL_CTX_set_tmp_ecdh() on other platforms.

A minimal patch to enable ECDHE using the NIST P256 EC is attached. If the EC has to be user selectable, adding it to TC Native will probably require some more work (but since the DH params are fixed too, I think this should suffice). 

It may also be necessary to add a call to SSL_set_tmp_ecdh() in sslnetwork.c, but I'm not sure how that will be used.
Comment 2 Jeffrey.Janner 2014-04-08 22:09:31 UTC 
I just wanted to an importance stress to this bug.
At this time, support for ECDHE is the only way to get Forward Secrecy support with Internet Explorer browsers. Firefox, Chrome, and Safari (and others) will at least do regular DHE ciphers if available.
Comment 3 Mladen Turk 2014-04-09 07:24:53 UTC 
New versions will be configured at build time using
perl Configure enable-ecdh enable-ec enable-ecdsa ...
Comment 4 Mladen Turk 2014-04-09 07:36:26 UTC 
Patch applied.
Resolving, but will need to verify the functionality.
Comment 5 Jeffrey.Janner 2014-04-10 15:17:44 UTC 
Wanted to report that the Qualys SSL Labs' SSl test tool is now reporting that, with this version, the ECDHE ciphers are available and will be used by the IE releases that support them (not IE8/XP does not). In fact, I am now getting an A rating on the tool and all major browsers are shown to use a cipher that offers Forward Secrecy.
Thanks for quickly addressing this one.
Comment 6 Ognjen Blagojevic 2014-05-21 09:42:52 UTC 
I also tested 1.1.30 that is released at 10.4.2014, and I am able to use EECDH ciphers now. Thank you.