Please sign in to comment.
Murmur: add support for EDH cipher suites, and for specifying Diffie-…
…Hellman parmeters. This change allows server admins to specify Diffie-Hellman parameters for Murmur to use. This is done using the sslDHParams option in the config file. Diffie-Hellman parameters can also be set on a per-server basis using the sslDHParams option. Note: the functionality implemented in this change requires the QSslDiffieHellmanParameters class in Qt, which has not yet landed upstream in the Qt 5 'dev' branch. This means that the functionality discussed in this change will, for now, only work in binaries provided by the Mumble project, or binaries that are built using our build environments, and not binaries that link against any released versions of Qt at present. This change modifies the default TLS cipher suite string to add EDH+aRSA+AESGCM, DHE-RSA-AES256-SHA and DHE-RSA-AES128-SHA. This yields the following ciphers, in TLS/RFC notation: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA This change also allows Murmur servers to provide forward secrecy to older clients, such as our own pre-built binaries before 1.2.9. It also provides forward secrecy for users that use Mumble 1.2.x versions on Linux distros, and other Unix-like systems. This is because Mumble 1.2.x on Unix-like systems builds against Qt 4, which limits the connection to TLS 1.0. Before this change, Murmur was not able to negotiate an ephemeral Diffie-Hellman key exchange for those clients. This is now possible.
- Loading branch information...
Showing with 172 additions and 6 deletions.