Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-2392

Enable elliptic curve ciphers to support forward secrecy

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: SSL
    • Labels:
      None

      Description

      ATS does not seem to support the elliptic curve diffie hellman ephemeral key exchanges (ECDH) that are available in openssl. It seems these needs to be enabled explicitly to take advantage of them. Ref: the following commit for how this support was added to apache httpd v2.3.3:

      http://mail-archives.apache.org/mod_mbox/httpd-cvs/200911.mbox/%3C20091110075514.166A6238890A@eris.apache.org%3E

      and for stud:

      https://github.com/bumptech/stud/pull/61/files

      Maybe both a DH key exchange needs to be set up, and then the various elliptic curves needs to be initialized..?

      Checking the openssl docs, I see SSL_CTX_set_tmp_dh_callback() needs to be called to set up the ephemeral keys:

      http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html

      https://tech.immerda.ch/2011/11/the-state-of-forward-secrecy-in-openssl/

      http://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman

      And these are the named curves available with openssl-1.0.1e-16.el6_5.x86_64 on RHEL-6.5:

      $ openssl ecparam -list_curves
        secp384r1 : NIST/SECG curve over a 384 bit prime field
        prime256v1: X9.62/SECG curve over a 256 bit prime field
      
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                janfrode Jan-Frode Myklebust
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: