1) In other code I see
EC_KEY_free(ecdh);
after
EC_KEY *ecdh = EC_KEY_new_by_curve_name(...)
and using ecdh, e.g. in
SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
Should we add the free? Or is it not needed? Anyone knows why?
2) In modules/ssl/ssl_private.h I see
/**
* The following features all depend on TLS extension support.
* Within this block, check again for features (not version numbers).
*/
#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
#define HAVE_TLSEXT
and then further checks and defines for OCSP, Session Tickets, SRP,
ALPN, all inside this "if" block.
Is it really true, that they are only supported if
SSL_set_tlsext_host_name is defined? That function seems to belong only
to SNI.
Should we switch the code to:
/**
* The following features all depend on TLS extension support.
* Within this block, check again for features (not version numbers).
*/
#if !defined(OPENSSL_NO_TLSEXT)
#define HAVE_TLSEXT
#if defined(SSL_set_tlsext_host_name)
#define HAVE_SNI
#endif
and then use HAVE_SNI where appropriate.
Regards,
Rainer
