diff options
| author | Mikkel Krautz <mikkel@krautz.dk> | 2015-09-26 23:19:20 +0300 |
|---|---|---|
| committer | Mikkel Krautz <mikkel@krautz.dk> | 2015-09-26 23:33:49 +0300 |
| commit | 8bd3f76a8ea3d8751c0305cfcaaa3592d2ffa9b2 (patch) | |
| tree | ae2b78600bb8e09f5f9c25a6804f41ff5aff7e75 /scripts/murmur.ini | |
| parent | b6276544a1f46f186bf929f4b27b616245b013ce (diff) | |
Murmur: add support for EDH cipher suites, and for specifying Diffie-Hellman parmeters.
This change allows server admins to specify Diffie-Hellman
parameters for Murmur to use. This is done using the sslDHParams
option in the config file. Diffie-Hellman parameters can also be
set on a per-server basis using the sslDHParams option.
Note: the functionality implemented in this change requires the
QSslDiffieHellmanParameters class in Qt, which has not yet landed
upstream in the Qt 5 'dev' branch. This means that the functionality
discussed in this change will, for now, only work in binaries provided
by the Mumble project, or binaries that are built using our build
environments, and not binaries that link against any released versions
of Qt at present.
This change modifies the default TLS cipher suite string to add
EDH+aRSA+AESGCM, DHE-RSA-AES256-SHA and DHE-RSA-AES128-SHA.
This yields the following ciphers, in TLS/RFC notation:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
This change also allows Murmur servers to provide forward secrecy
to older clients, such as our own pre-built binaries before 1.2.9.
It also provides forward secrecy for users that use Mumble 1.2.x
versions on Linux distros, and other Unix-like systems. This is
because Mumble 1.2.x on Unix-like systems builds against Qt 4, which
limits the connection to TLS 1.0.
Before this change, Murmur was not able to negotiate an ephemeral
Diffie-Hellman key exchange for those clients. This is now possible.
Diffstat (limited to 'scripts/murmur.ini')
| -rw-r--r-- | scripts/murmur.ini | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/scripts/murmur.ini b/scripts/murmur.ini index b2c3fff59..02c3c38d2 100644 --- a/scripts/murmur.ini +++ b/scripts/murmur.ini @@ -160,6 +160,13 @@ users=100 ;sslCert= ;sslKey= +; The sslDHParams option allows you to specify a PEM-encoded file with +; Diffie-Hellman parameters, which will be used as the default Diffie- +; Hellman parameters for all virtual servers. +; If a file is not specified, each Murmur virtual server will auto-generate +; its own unique set of 2048-bit Diffie-Hellman parameters on first launch. +;sslDHParams= + ; The sslCiphers option chooses the cipher suites to make available for use ; in SSL/TLS. This option is server-wide, and cannot be set on a ; per-virtual-server basis. @@ -176,7 +183,7 @@ users=100 ; Note: Changing this option may impact the backwards compatibility of your ; Murmur server, and can remove the ability for older Mumble clients to be able ; to connect to it. -;sslCiphers=EECDH+AESGCM:AES256-SHA:AES128-SHA +;sslCiphers=EECDH+AESGCM:EDH+aRSA+AESGCM:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA ; If Murmur is started as root, which user should it switch to? ; This option is ignored if Murmur isn't started with root privileges. |