[SERVER-24897] Configure Diffie-Hellman parameters for OpenSSL Created: 05/Jul/16  Updated: 06/Dec/17  Resolved: 14/Aug/17

Status: Closed
Project: Core Server
Component/s: Networking, Security
Affects Version/s: None
Fix Version/s: 3.5.12

Type: Improvement Priority: Major - P3
Reporter: Spencer Jackson Assignee: ADAM Martin (Inactive)
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Backwards Compatibility: Fully Compatible
Sprint: Platforms 2017-07-31, Platforms 2017-08-21
Participants:

 Description   

In order to enable Perfect Forward Security compatible cipher suites when using OpenSSL, we should to configure OpenSSL via the guidelines here: https://wiki.openssl.org/index.php/Diffie-Hellman_parameters

Though standard Diffie-Hellman seems fairly straightforward to configure, note that the preferred way to configure Elliptic Curve Diffie-Hellman requires a call to SSL_CTX_set_ecdh_auto, which as a symbol is only exposed by OpenSSL 1.0.2 and above. We may wish to switch between ECDH configuration implementations based on what's available at compile time, though the majority of vendor supplied OpenSSL libraries will not currently be able to use it. Runtime acquisition of a function pointer may also be possible, but would be more difficult to implement.



 Comments   
Comment by Githook User [ 14/Aug/17 ]

Author:

{'name': 'ADAM David Alan Martin', 'username': 'adamlsd', 'email': 'adam.martin@10gen.com'}

Message: SERVER-24897 Configuration of DHE parameters.

Added an option to permit specifying a Diffie Hellman parameters file
in PEM format which will be passed to OpenSSL. We also now indicate
to OpenSSL that we'd like Elliptic Curve Diffie Hellman Exchange,
if the client supports it.
Branch: master
https://github.com/mongodb/mongo/commit/476e861748510449511eb0a9a250a03cff8c07e6

Generated at Thu Feb 08 04:07:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.