diff options
| author | Matthew Jordan <mjordan@digium.com> | 2014-07-03 12:10:17 +0000 |
|---|---|---|
| committer | Matthew Jordan <mjordan@digium.com> | 2014-07-03 12:10:17 +0000 |
| commit | eaee92198d89f7feb4206b412104f439bc80754f (patch) | |
| tree | bb8dcaa961300461369a9a3cbb76c5ffc069a7e5 /contrib/scripts/dahdi_span_config_hook | |
| parent | d1c6a9e69ed7fedfe2b61e8cd99093011573f587 (diff) | |
main/tcptls: Add support for Perfect Forward Secrecy
This patch enables Perfect Forward Secrecy (PFS) in Asterisk's core TLS API.
Modules that wish to enable PFS should consider the following:
- Ephemeral ECDH (ECDHE) is enabled by default. To disable it, do not
specify a ECDHE cipher suite in a module's configuration, for example:
tlscipher=AES128-SHA:DES-CBC3-SHA
- Ephemeral DH (DHE) is disabled by default. To enable it, add DH parameters
into the private key file, i.e., tlsprivatekey. For an example, see the
default dh2048.pem at
http://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/apps/dh2048.pem?txt
- Because clients expect the server to prefer PFS, and because OpenSSL sorts
its cipher suites by bit strength, (see "openssl ciphers -v DEFAULT")
consider re-ordering your cipher suites in the conf file. For example:
tlscipher=AES128+kEECDH:AES128+kEDH:3DES+kEDH:AES128-SHA:DES-CBC3-SHA:-ADH:-AECDH
will use PFS when offered by the client. Clients which do not offer PFS
fall-back to AES-128 (or even 3DES as recommend by RFC 3261).
Review: https://reviewboard.asterisk.org/r/3647/
ASTERISK-23905 #close
Reported by: Alexander Traud
patches:
tlsPFS_for_HEAD.patch uploaded by Alexander Traud (License 6520)
tlsPFS.patch uploaded by Alexander Traud (License 6520)
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@417803 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'contrib/scripts/dahdi_span_config_hook')
0 files changed, 0 insertions, 0 deletions