[glib-openssl/wip/improvements: 6/7] Call SSL_CTX_set_ecdh_auto and set it true
- From: Ignacio Casal Quinteiro <icq src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-openssl/wip/improvements: 6/7] Call SSL_CTX_set_ecdh_auto and set it true
- Date: Wed, 25 Oct 2017 14:07:56 +0000 (UTC)
commit d2758212375b3c753b00a1a829138d79881810af
Author: Ignacio Casal Quinteiro <qignacio amazon com>
Date: Wed Oct 25 12:06:46 2017 +0200
Call SSL_CTX_set_ecdh_auto and set it true
This seems to allow to select better ciphers. I wonder why
this is not enabled by default...
tls/openssl/gtlsserverconnection-openssl.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
---
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index 1ef4349..bca9413 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -322,6 +322,16 @@ g_tls_server_connection_openssl_initable_init (GInitable *initable,
SSL_CTX_add_session (priv->ssl_ctx, priv->session);
set_cipher_list (server);
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
+# ifdef SSL_CTX_set_ecdh_auto
+ SSL_CTX_set_ecdh_auto (priv->ssl_ctx, 1);
+# else
+ SSL_CTX_set_tmp_ecdh (priv->ssl_ctx,
+ EC_KEY_new_by_curve_name (NID_X9_62_prime256v1));
+# endif
+#endif
+
SSL_CTX_set_info_callback (priv->ssl_ctx, ssl_info_callback);
priv->ssl = SSL_new (priv->ssl_ctx);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]