Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#1765 closed enhancement (fixed)

Add Perfect Forward Secrecy (PFS) support in OpenSSL socket (thanks to Alexander Traud for the patch) — at Version 2

Reported by: ming Owned by: bennylp
Priority: normal Milestone: release-2.3
Component: pjlib Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description (last modified by ming)

Usage (optional):
Append DH parameters into the private key file (privkey_file), for example here for ephemeral DH (DHE). Ephemeral ECDH (ECDHE) works
automatically. Without specifying a cipher-suite,
# openssl ciphers -v DEFAULT
is used. Consider reordering or disabling certain suites. Make sure to set
the 'method' parameter to the value 'sslv23' because this disables SSL 2.0
and is the only way to enable TLS 1.2 in pjsip, currently. TLS 1.2 is
required to enable AES-GCM cipher-suites.

Drawback:
For Java clients, go for a 1024bit parameter file, or
disable DHE via 'cipher', or put ECDHE high in priority (of 'cipher').

Speed:
With a mobile phone from 2006 (Nokia E61), DHE/3DES and a 2048bit parameter,
the speed penalty is about 0,5 seconds per connection setup.

Change History (2)

comment:1 Changed 8 years ago by ming

  • Resolution set to fixed
  • Status changed from new to closed

In 4832:

Fixed #1765: Add PFS support

comment:2 Changed 8 years ago by ming

  • Description modified (diff)
Note: See TracTickets for help on using tickets.