[mod_openssl] elliptic curve auto selection (fixes #2833)

elliptic curve auto selection where available
openssl v1.0.2 - SSL_CTX_set_ecdh_auto()
openssl v1.1.0 - ECDH support always enabled

  "Using X25519 Key exchange"

  "SSL_CTX_set_ecdh_auto is undefined for newer openssl's"
  It has been removed from OpenSSL 1.1.0.
  Here is the relevant CHANGES entry:
  *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
     always enabled now.  If you want to disable the support you should
     exclude it using the list of supported ciphers. This also means
     that the "-no_ecdhe" option has been removed from s_server.
     [Kurt Roeckx]
This commit is contained in:
Glenn Strauss 2018-01-06 20:05:42 -05:00
parent f90ccdef51
commit 76b9b1fa46
1 changed files with 8 additions and 0 deletions

View File

@ -831,8 +831,16 @@ network_init_ssl (server *srv, void *p_d)
return -1;
} else {
/* Default curve */
nid = OBJ_sn2nid("prime256v1");
#elif OPENSSL_VERSION_NUMBER < 0x10100000L \
if (!SSL_CTX_set_ecdh_auto(s->ssl_ctx, 1)) {
log_error_write(srv, __FILE__, __LINE__, "s",
"SSL: SSL_CTX_set_ecdh_auto() failed");
if (nid) {
EC_KEY *ecdh;