[mod_openssl] elliptic curve auto selection (fixes #2833)

elliptic curve auto selection where available openssl v1.0.2 - SSL_CTX_set_ecdh_auto() openssl v1.1.0 - ECDH support always enabled x-ref: "Using X25519 Key exchange" https://redmine.lighttpd.net/issues/2833 "SSL_CTX_set_ecdh_auto is undefined for newer openssl's" https://github.com/openssl/openssl/issues/1437 It has been removed from OpenSSL 1.1.0. Here is the relevant CHANGES entry: *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is always enabled now. If you want to disable the support you should exclude it using the list of supported ciphers. This also means that the "-no_ecdhe" option has been removed from s_server. [Kurt Roeckx]
2018-01-06 20:05:42 -05:00 · 2018-01-06 20:05:42 -05:00 · 76b9b1fa46
parent f90ccdef51
commit 76b9b1fa46
1 changed files with 8 additions and 0 deletions
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@ -831,8 +831,16 @@ network_init_ssl (server *srv, void *p_d)
                return -1;
            }
        } else {
+          #if OPENSSL_VERSION_NUMBER < 0x10002000
            /* Default curve */
            nid = OBJ_sn2nid("prime256v1");
+          #elif OPENSSL_VERSION_NUMBER < 0x10100000L \
+             || defined(LIBRESSL_VERSION_NUMBER)
+            if (!SSL_CTX_set_ecdh_auto(s->ssl_ctx, 1)) {
+                log_error_write(srv, __FILE__, __LINE__, "s",
+                                "SSL: SSL_CTX_set_ecdh_auto() failed");
+            }
+          #endif
        }
        if (nid) {
            EC_KEY *ecdh;