blob: 58a8f9069213ddba09269c9993bb001f882cf3ac (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
o Major features:
- Servers can now enable the ECDHE TLS ciphersuites when
available and appropriate. These ciphersuites, when used with
the P-256 elliptic curve, let us negotiate forward-secure TLS
secret keys more safely and more efficiently than with our
previous use of Diffie Hellman modulo a 1024-bit prime.
Enabling these ciphers was a little tricky, since for a long
time, clients had been claiming to support them without
actually doing so, in order to foil fingerprinting. But with
the client-side implementation of proposal 198 in
0.2.3.17-beta, clients can now match the ciphers from recent
firefox versions *and* list the ciphers they actually mean, so
servers can believe such clients when they advertise ECDHE
support in their TLS ClientHello messages.
This feature requires clients running 0.2.3.17-beta or later,
and requires both sides to be running OpenSSL 1.0.0 or later
with ECC support. OpenSSL 1.0.1, with the compile-time option
"enable-ec_nistp_64_gcc_128", is highly recommended.
Implements the server side of proposal 198; closes ticket
7200.
|
