Browse Source

[mod_openssl] elliptic curve auto selection (fixes #2833)

elliptic curve auto selection where available
openssl v1.0.2 - SSL_CTX_set_ecdh_auto()
openssl v1.1.0 - ECDH support always enabled

x-ref:
  "Using X25519 Key exchange"
  https://redmine.lighttpd.net/issues/2833

  "SSL_CTX_set_ecdh_auto is undefined for newer openssl's"
  https://github.com/openssl/openssl/issues/1437
  It has been removed from OpenSSL 1.1.0.
  Here is the relevant CHANGES entry:
  *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
     always enabled now.  If you want to disable the support you should
     exclude it using the list of supported ciphers. This also means
     that the "-no_ecdhe" option has been removed from s_server.
     [Kurt Roeckx]
personal/stbuehler/fix-fdevent
Glenn Strauss 3 years ago
parent
commit
76b9b1fa46
  1. 8
      src/mod_openssl.c

8
src/mod_openssl.c

@ -831,8 +831,16 @@ network_init_ssl (server *srv, void *p_d)
return -1;
}
} else {
#if OPENSSL_VERSION_NUMBER < 0x10002000
/* Default curve */
nid = OBJ_sn2nid("prime256v1");
#elif OPENSSL_VERSION_NUMBER < 0x10100000L \
|| defined(LIBRESSL_VERSION_NUMBER)
if (!SSL_CTX_set_ecdh_auto(s->ssl_ctx, 1)) {
log_error_write(srv, __FILE__, __LINE__, "s",
"SSL: SSL_CTX_set_ecdh_auto() failed");
}
#endif
}
if (nid) {
EC_KEY *ecdh;

Loading…
Cancel
Save