[glib-openssl/wip/improvements: 6/7] Call SSL_CTX_set_ecdh_auto and set it true



commit d2758212375b3c753b00a1a829138d79881810af
Author: Ignacio Casal Quinteiro <qignacio amazon com>
Date:   Wed Oct 25 12:06:46 2017 +0200

    Call SSL_CTX_set_ecdh_auto and set it true
    
    This seems to allow to select better ciphers. I wonder why
    this is not enabled by default...

 tls/openssl/gtlsserverconnection-openssl.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)
---
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index 1ef4349..bca9413 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -322,6 +322,16 @@ g_tls_server_connection_openssl_initable_init (GInitable       *initable,
   SSL_CTX_add_session (priv->ssl_ctx, priv->session);
 
   set_cipher_list (server);
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
+# ifdef SSL_CTX_set_ecdh_auto
+  SSL_CTX_set_ecdh_auto (priv->ssl_ctx, 1);
+# else
+  SSL_CTX_set_tmp_ecdh (priv->ssl_ctx,
+                        EC_KEY_new_by_curve_name (NID_X9_62_prime256v1));
+# endif
+#endif
+
   SSL_CTX_set_info_callback (priv->ssl_ctx, ssl_info_callback);
 
   priv->ssl = SSL_new (priv->ssl_ctx);


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]