Opened 11 years ago
Closed 10 years ago
#1765 closed enhancement (fixed)
Add Perfect Forward Secrecy (PFS) support in OpenSSL socket (thanks to Alexander Traud for the patch)
Reported by: | ming | Owned by: | bennylp |
---|---|---|---|
Priority: | normal | Milestone: | release-2.3 |
Component: | pjlib | Version: | trunk |
Keywords: | Cc: | ||
Backport to 1.x milestone: | Backported: | no |
Description (last modified by ming)
Usage (optional):
Append DH parameters into the private key file (privkey_file), for example here for ephemeral DH (DHE). Ephemeral ECDH (ECDHE) works
automatically. Without specifying a cipher-suite,
# openssl ciphers -v DEFAULT
is used. Consider reordering or disabling certain suites. Make sure to set
the 'method' parameter to the value 'sslv23' because this disables SSL 2.0
and is the only way to enable TLS 1.2 in pjsip, currently. TLS 1.2 is
required to enable AES-GCM cipher-suites.
Drawback:
For Java clients, go for a 1024bit parameter file, or
disable DHE via 'cipher', or put ECDHE high in priority (of 'cipher').
Speed:
With a mobile phone from 2006 (Nokia E61), DHE/3DES and a 2048bit parameter,
the speed penalty is about 0,5 seconds per connection setup.
Change History (5)
comment:1 Changed 11 years ago by ming
- Resolution set to fixed
- Status changed from new to closed
comment:2 Changed 11 years ago by ming
- Description modified (diff)
comment:3 Changed 10 years ago by riza
- Resolution fixed deleted
- Status changed from closed to reopened
comment:4 Changed 10 years ago by riza
In 4871:
comment:5 Changed 10 years ago by riza
- Resolution set to fixed
- Status changed from reopened to closed
In 4832: