Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 1.3.0
    • Fix Version/s: 1.4.0
    • Component/s: libprocess
    • Labels:
    • Target Version/s:
    • Sprint:
      Mesosphere Sprint 59, Mesosphere Sprint 60
    • Story Points:
      5

      Description

      Elliptic curve ciphers are a family of ciphers supported by OpenSSL. They allow to have smaller keys, but require an extra configuration parameter, the actual curve to be used, which can't be done through libprocess as it is.

        Activity

        Hide
        arojas Alexander Rojas added a comment -

        r/60913/: Adds support for OpenSSL's ECDH handshake.

        Show
        arojas Alexander Rojas added a comment - r/60913/ : Adds support for OpenSSL's ECDH handshake.
        Hide
        adam-mesos Adam B added a comment -

        Alexander Rojas, how many story points is this ticket?
        cc: Till Toenshoff

        Show
        adam-mesos Adam B added a comment - Alexander Rojas , how many story points is this ticket? cc: Till Toenshoff
        Hide
        jgehrcke Jan-Philip Gehrcke added a comment -

        The precise goal of this ticket really is to support TLS handshakes which use an ephemeral elliptic curve Diffie-Hellman key exchange, usually abbreviated with ECDHE.

        Show
        jgehrcke Jan-Philip Gehrcke added a comment - The precise goal of this ticket really is to support TLS handshakes which use an ephemeral elliptic curve Diffie-Hellman key exchange, usually abbreviated with ECDHE.
        Hide
        tillt Till Toenshoff added a comment -
        commit fc27129a1f63fb48da5ed41b82c150be2ce45121
        Author: Alexander Rojas <alexander@mesosphere.io>
        Date:   Thu Jul 27 00:43:22 2017 +0200
        
            Added documentation for LIBPROCESS_SSL_ECDH_CURVE environment variable.
        
            This adds the adequate documentation entry for the new
            `LIBPROCESS_SSL_ECDH_CURVE` environment variable, which allow the
            configuration of ECDHE key exchange while establishing TLS sessions.
        
            Review: https://reviews.apache.org/r/60996/
        
        commit 679066964ac4c0e34208cb583ac9bbf31cbc3102
        Author: Alexander Rojas <alexander@mesosphere.io>
        Date:   Thu Jul 27 00:42:21 2017 +0200
        
            Added support for OpenSSL's ECDH key exchange.
        
            This patch adds the configuration necessary so that the Elliptic Curve
            Diffie Hellman algorithm can be used for TLS key exchange if the
            OpenSSL version used supports it.
        
            It also adds the SSL flag `LIBPROCESS_SSL_ECDH_CURVES` which allows
            for the specification of a specific elliptic curve (or set of curves).
        
            Users will need to specify the TLS cipher suite that uses ECDH in order
            to enable the new key exchange. By default Mesos does not use any ECDH
            cipher suites.
        
            Support for ephemeral ECDH public keys is the default, so that new
            public keys are generated for each exchange.
        
            Note that in order to enable ECDSA ciphers an ECDSA key is still
            necessary instead of the more traditional RSA one.
        
            Review: https://reviews.apache.org/r/60913/
        
        Show
        tillt Till Toenshoff added a comment - commit fc27129a1f63fb48da5ed41b82c150be2ce45121 Author: Alexander Rojas <alexander@mesosphere.io> Date: Thu Jul 27 00:43:22 2017 +0200 Added documentation for LIBPROCESS_SSL_ECDH_CURVE environment variable. This adds the adequate documentation entry for the new `LIBPROCESS_SSL_ECDH_CURVE` environment variable, which allow the configuration of ECDHE key exchange while establishing TLS sessions. Review: https://reviews.apache.org/r/60996/ commit 679066964ac4c0e34208cb583ac9bbf31cbc3102 Author: Alexander Rojas <alexander@mesosphere.io> Date: Thu Jul 27 00:42:21 2017 +0200 Added support for OpenSSL's ECDH key exchange. This patch adds the configuration necessary so that the Elliptic Curve Diffie Hellman algorithm can be used for TLS key exchange if the OpenSSL version used supports it. It also adds the SSL flag `LIBPROCESS_SSL_ECDH_CURVES` which allows for the specification of a specific elliptic curve (or set of curves). Users will need to specify the TLS cipher suite that uses ECDH in order to enable the new key exchange. By default Mesos does not use any ECDH cipher suites. Support for ephemeral ECDH public keys is the default, so that new public keys are generated for each exchange. Note that in order to enable ECDSA ciphers an ECDSA key is still necessary instead of the more traditional RSA one. Review: https://reviews.apache.org/r/60913/

          People

          • Assignee:
            arojas Alexander Rojas
            Reporter:
            arojas Alexander Rojas
            Shepherd:
            Till Toenshoff
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development

                Agile