Hello,

On Mon, 7 Aug 2017 16:02:50 +0200 Philipp Huebner <debala...@debian.org
> wrote:
> 
> I think we can fix this for Stretch if the release managers agree to
the
> proposed patch, but I probably won't have time to work on this before
> September. A minimal patch would be welcome!
> 
> I also intend to provide ejabberd >= 17.07 via Stretch backports, but
> again probably not before September.
> 

Well, I took time to read the processone/fast_tls upstream log and I've
a bit
better understood how they fixed the ECDH curve setup: with OpenSSL
>=1.0.2,
there's a new function to set up automatically ECDH curves.

Upstream pull request and comments are available here:
https://github.com/processone/fast_tls/pull/21

I've read the log and I applied related commit
(b9c17209cc4a9cf149f8a64903b4c2b46c125dac)
and the follow up fixes (bffee501cd05be3511bbdc0c8f7ed78e36276d5a and
94101d38d965abd90012acd404922519a3295e55).

Note that I had to manually backports these commits to file
"c_src/fast_tls_drv.c" as current upstream code has moved this file to
"c_src/fast_tls.c" when they passed to the "Nif version".

With all these informations, I made the attached patch for the erlang-
p1-tls
package (it's made to be applied above the version 1.0.7-2).

I've then compiled locally and applied on my ejabberd server: after
ejabberd
service restart I was able to use either my RSA key or my ECDSA key
without any
issue.

Regards,
Adrien
Backport upstream patch to "use openssl built-in function for setting up ECDH curves".

This patch includes these upstream commits:

commit 94101d38d965abd90012acd404922519a3295e55
Author: Paweł Chmielowski <pchmielow...@process-one.net>
Date:   Mon Jul 10 22:33:04 2017 +0200

    Revert condition from last commit

commit bffee501cd05be3511bbdc0c8f7ed78e36276d5a
Author: Paweł Chmielowski <pchmielow...@process-one.net>
Date:   Mon Jul 10 22:27:57 2017 +0200

    SSL_CTX_set_ecdh_auto was available starting with openssl 1.0.2

commit b9c17209cc4a9cf149f8a64903b4c2b46c125dac
Author: Paweł Chmielowski <pchmielow...@process-one.net>
Date:   Mon Jul 10 22:20:42 2017 +0200

    Use openssl built-in function for setting up ECDH curves (thanks to user pitchum)
    
    This should fixes #20
--- a/c_src/fast_tls_drv.c
+++ b/c_src/fast_tls_drv.c
@@ -383,17 +383,7 @@
 #ifndef OPENSSL_NO_ECDH
 static void setup_ecdh(SSL_CTX *ctx)
 {
-   EC_KEY *ecdh;
-
-   if (SSLeay() < 0x1000005fL) {
-      return;
-   }
-
-   ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-   SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
-   SSL_CTX_set_tmp_ecdh(ctx, ecdh);
-
-   EC_KEY_free(ecdh);
+   SSL_CTX_set_ecdh_auto(ctx, 1);
 }
 #endif
 
@@ -951,6 +941,11 @@
 }
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L || OPENSSL_VERSION_NUMBER < 0x10002000
+#undef SSL_CTX_set_ecdh_auto
+#define SSL_CTX_set_ecdh_auto(A, B) do {} while(0)
+#endif
+
 DRIVER_INIT(fast_tls_drv) /* must match name in driver_entry */
 {
    CRYPTO_set_mem_functions(our_alloc, our_realloc, our_free);

Reply via email to