Let servers choose better ciphersuites when clients support them

This implements the server-side of proposal 198 by detecting when
clients lack the magic list of ciphersuites that indicates that
they're lying faking some ciphers they don't really have.  When
clients lack this list, we can choose any cipher that we'd actually
like.  The newly allowed ciphersuites are, currently, "All ECDHE-RSA
ciphers that openssl supports, except for ECDHE-RSA-RC4".

The code to detect the cipher list relies on on (ab)use of
SSL_set_session_secret_cb.

1 files changed, 24 insertions, 0 deletions

diff --git a/changes/tls_ecdhe b/changes/tls_ecdhe
new file mode 100644
index 0000000000..58a8f90692
--- /dev/null
+++ b/changes/tls_ecdhe
@@ -0,0 +1,24 @@
+  o Major features:
+
+    - Servers can now enable the ECDHE TLS ciphersuites when
+      available and appropriate. These ciphersuites, when used with
+      the P-256 elliptic curve, let us negotiate forward-secure TLS
+      secret keys more safely and more efficiently than with our
+      previous use of Diffie Hellman modulo a 1024-bit prime.
+
+      Enabling these ciphers was a little tricky, since for a long
+      time, clients had been claiming to support them without
+      actually doing so, in order to foil fingerprinting. But with
+      the client-side implementation of proposal 198 in
+      0.2.3.17-beta, clients can now match the ciphers from recent
+      firefox versions *and* list the ciphers they actually mean, so
+      servers can believe such clients when they advertise ECDHE
+      support in their TLS ClientHello messages.
+
+      This feature requires clients running 0.2.3.17-beta or later,
+      and requires both sides to be running OpenSSL 1.0.0 or later
+      with ECC support. OpenSSL 1.0.1, with the compile-time option
+      "enable-ec_nistp_64_gcc_128", is highly recommended.
+      Implements the server side of proposal 198; closes ticket
+      7200.
+