[SERVER-24897] Configure Diffie-Hellman parameters for OpenSSL Created: 05/Jul/16 Updated: 06/Dec/17 Resolved: 14/Aug/17 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Networking, Security |
| Affects Version/s: | None |
| Fix Version/s: | 3.5.12 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | ADAM Martin (Inactive) |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Backwards Compatibility: | Fully Compatible | ||||
| Sprint: | Platforms 2017-07-31, Platforms 2017-08-21 | ||||
| Participants: | |||||
| Description |
|
In order to enable Perfect Forward Security compatible cipher suites when using OpenSSL, we should to configure OpenSSL via the guidelines here: https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Though standard Diffie-Hellman seems fairly straightforward to configure, note that the preferred way to configure Elliptic Curve Diffie-Hellman requires a call to SSL_CTX_set_ecdh_auto, which as a symbol is only exposed by OpenSSL 1.0.2 and above. We may wish to switch between ECDH configuration implementations based on what's available at compile time, though the majority of vendor supplied OpenSSL libraries will not currently be able to use it. Runtime acquisition of a function pointer may also be possible, but would be more difficult to implement. |
| Comments |
| Comment by Githook User [ 14/Aug/17 ] |
|
Author: {'name': 'ADAM David Alan Martin', 'username': 'adamlsd', 'email': 'adam.martin@10gen.com'}Message: Added an option to permit specifying a Diffie Hellman parameters file |