enable automatic ECDH when possible (openssl 1.0.2)

Openssl 1.1.0 and later are enabling ECDH automatically, but for older version it must be enabled explicitly or all Perfect Forward Secrecy ciphers will be silently ignored. See also [1]. This commit applies the same fix as found in CnetOS 7 httpd package to enable automatic ECDH as found in [2]. [1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters [2] https://git.centos.org/blob/rpms!httpd.git/c7/SOURCES!httpd-2.4.6-ssl-ecdh-auto.patch
7 years ago · 6cdc0f31b0
parent 793a418cfb
commit 6cdc0f31b0
1 changed files with 3 additions and 0 deletions
--- a/common/ssl_calls.c
+++ b/common/ssl_calls.c
@ -592,6 +592,9 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols,
                     SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
                     SSL_MODE_ENABLE_PARTIAL_WRITE);
    SSL_CTX_set_options(self->ctx, options);
+#if defined(SSL_CTX_set_ecdh_auto)
+    SSL_CTX_set_ecdh_auto(self->ctx, 1);
+#endif

    if (g_strlen(tls_ciphers) > 1)
    {