1234567891011121314151617181920212223242526 |
- o Major features:
- - Servers can now enable the ECDHE TLS ciphersuites when available
- and appropriate. These ciphersuites let us negotiate forward-
- secure TLS secret keys more safely and more efficiently than with
- our previous use of Diffie Hellman modulo a 1024-bit prime.
- By default, public servers prefer the (faster) P224 group, and
- bridges prefer the (more common) P256 group; you can override this
- with the TLSECGroup option.
- Enabling these ciphers was a little tricky, since for a long
- time, clients had been claiming to support them without
- actually doing so, in order to foil fingerprinting. But with
- the client-side implementation of proposal 198 in
- 0.2.3.17-beta, clients can now match the ciphers from recent
- firefox versions *and* list the ciphers they actually mean, so
- servers can believe such clients when they advertise ECDHE
- support in their TLS ClientHello messages.
- This feature requires clients running 0.2.3.17-beta or later,
- and requires both sides to be running OpenSSL 1.0.0 or later
- with ECC support. OpenSSL 1.0.1, with the compile-time option
- "enable-ec_nistp_64_gcc_128", is highly recommended.
- Implements the server side of proposal 198; closes ticket
- 7200.
|