diff -up openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/shttpd/shttpd.c.orig openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/shttpd/shttpd.c
--- openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/shttpd/shttpd.c.orig	2018-06-15 13:18:46.274786925 +0200
+++ openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/shttpd/shttpd.c	2018-06-15 13:18:46.281786924 +0200
@@ -1474,6 +1474,7 @@ set_ssl(struct shttpd_ctx *ctx, const ch
 	char *ssl_disabled_protocols = wsmand_options_get_ssl_disabled_protocols();
 	char *ssl_cipher_list = wsmand_options_get_ssl_cipher_list();
 	int		retval = FALSE;
+	EC_KEY*		key;
 
 	/* Initialize SSL crap */
 	debug("Initialize SSL");
@@ -1493,6 +1494,13 @@ set_ssl(struct shttpd_ctx *ctx, const ch
 	else
 		retval = TRUE;
 
+	/* This enables ECDH Perfect Forward secrecy. Currently with just the most generic p256 prime curve */
+	key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+	if (key != NULL) {
+		SSL_CTX_set_tmp_ecdh(CTX, key);
+		EC_KEY_free(key);
+	}
+
 	while (ssl_disabled_protocols) {
 		struct ctx_opts_t {
 			char *name;