Opened 6 years ago

Closed 6 years ago

#1765 closed enhancement (fixed)

Add Perfect Forward Secrecy (PFS) support in OpenSSL socket (thanks to Alexander Traud for the patch)

Reported by: ming Owned by: bennylp
Priority: normal Milestone: release-2.3
Component: pjlib Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description (last modified by ming)

Usage (optional):
Append DH parameters into the private key file (privkey_file), for example here for ephemeral DH (DHE). Ephemeral ECDH (ECDHE) works
automatically. Without specifying a cipher-suite,
# openssl ciphers -v DEFAULT
is used. Consider reordering or disabling certain suites. Make sure to set
the 'method' parameter to the value 'sslv23' because this disables SSL 2.0
and is the only way to enable TLS 1.2 in pjsip, currently. TLS 1.2 is
required to enable AES-GCM cipher-suites.

Drawback:
For Java clients, go for a 1024bit parameter file, or
disable DHE via 'cipher', or put ECDHE high in priority (of 'cipher').

Speed:
With a mobile phone from 2006 (Nokia E61), DHE/3DES and a 2048bit parameter,
the speed penalty is about 0,5 seconds per connection setup.

Change History (5)

comment:1 Changed 6 years ago by ming

  • Resolution set to fixed
  • Status changed from new to closed

In 4832:

Fixed #1765: Add PFS support

comment:2 Changed 6 years ago by ming

  • Description modified (diff)

comment:3 Changed 6 years ago by riza

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:4 Changed 6 years ago by riza

In 4871:

Re #1765:

  • Fixed unnecessary white-space error
  • Limiting log message to servers
  • Adding SSL_OP_SINGLE_ECDH_USE optionally
  • OpenSSL could be built without elliptic curve support, or too old

comment:5 Changed 6 years ago by riza

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.