123456789101112131415161718192021222324 |
- o Major features:
- - Servers can now enable the ECDHE TLS ciphersuites when
- available and appropriate. These ciphersuites, when used with
- the P-256 elliptic curve, let us negotiate forward-secure TLS
- secret keys more safely and more efficiently than with our
- previous use of Diffie Hellman modulo a 1024-bit prime.
- Enabling these ciphers was a little tricky, since for a long
- time, clients had been claiming to support them without
- actually doing so, in order to foil fingerprinting. But with
- the client-side implementation of proposal 198 in
- 0.2.3.17-beta, clients can now match the ciphers from recent
- firefox versions *and* list the ciphers they actually mean, so
- servers can believe such clients when they advertise ECDHE
- support in their TLS ClientHello messages.
- This feature requires clients running 0.2.3.17-beta or later,
- and requires both sides to be running OpenSSL 1.0.0 or later
- with ECC support. OpenSSL 1.0.1, with the compile-time option
- "enable-ec_nistp_64_gcc_128", is highly recommended.
- Implements the server side of proposal 198; closes ticket
- 7200.
|