Add support for ECDH, from upstream - pkgsrc

diff options

author	manu <manu>	2015-09-14 16:32:26 +0000
committer	manu <manu>	2015-09-14 16:32:26 +0000
commit	996d57f0698cbba55735f602b9de7c8167d8e32d (patch)
tree	a84276f5501bdd0ba3dd9050259335106bb98882 /fonts
parent	dade6a1e3d201065c03555a51c90e4446bd4656d (diff)
download	pkgsrc-996d57f0698cbba55735f602b9de7c8167d8e32d.tar.gz

Add support for ECDH, from upstream

After the recent logjam attack, longer DH parameter size have been advised. Unfortunately, this comes with a high computational cost. ECDH is a good alternative to acheive forward secrecy with lower CPU Loads. This patch is a backport from upstream ECDH umplementation. ECDH is enabled by speciying a curve name through the TLSECName directive. Valid curve names can be obtaines by openssl ecparam -list_curves Advised usage for a forward-secrecy only setup wiht only ECDH: TLSCipherSuite EECDH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL TLSECName prime256v1 If backward compatibility with older clients is required: TLSCipherSuite EECDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL TLSECName prime256v1 Backward compatible flavor with more forward secrecy, at the expense of using costly DH. dh2048.pem is obtained using openssl dhparam 2048 > /etc/openssl/certs/dh2048.pem TLSCipherSuite EECDH:EDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL TLSDHParamFile /etc/openssl/certs/dh2048.pem TLSECName prime256v1

Diffstat (limited to 'fonts')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: