--- main/tcptls.c (revision 416071)
+++ main/tcptls.c (working copy)
@@ -824,6 +824,38 @@
 			ast_log(LOG_ERROR, "TLS/SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
 		}
 	}
+	
+	if (!ast_strlen_zero(cfg->pvtfile)) {
+		BIO *bio = BIO_new_file(cfg->pvtfile, "r");
+		if (bio != NULL) {
+			DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+			if (dh != NULL) {
+				if (SSL_CTX_set_tmp_dh(cfg->ssl_ctx, dh)) {
+					long options = SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE;
+					options = SSL_CTX_set_options(cfg->ssl_ctx, options);
+					ast_verb(2, "TLS/SSL DH initialized, PFS cipher-suites enabled\n");
+				}
+				DH_free(dh);
+			} /* get_dh1024() */
+			BIO_free(bio);
+		}
+	}
+	#ifndef SSL_CTRL_SET_ECDH_AUTO
+		#define SSL_CTRL_SET_ECDH_AUTO 94
+	#endif 
+	/* SSL_CTX_set_ecdh_auto(cfg->ssl_ctx, on); requires OpenSSL 1.0.2 which wraps: */
+	if (SSL_CTX_ctrl(cfg->ssl_ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {
+		ast_verb(0, "SSL ECDH initialized (automatic), faster PFS ciphers enabled\n");
+	} else {
+		/* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
+		EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+		if (ecdh != NULL) {
+			if (SSL_CTX_set_tmp_ecdh(cfg->ssl_ctx, ecdh)) {
+				ast_verb(2, "TLS/SSL ECDH initialized (secp256r1), faster PFS cipher-suites enabled\n");
+			}
+			EC_KEY_free(ecdh);
+		}
+	}
 
 	ast_verb(2, "TLS/SSL certificate ok\n");	/* We should log which one that is ok. This message doesn't really make sense in production use */
 	return 1;