This is my first attempt at a patch, I'd love to get some feedback on this.
Adds support for SSL_CTX_set_ecdh_auto which is available in OpenSSL 1.0.2.
From 05bee3e95e5969294998fb9e2794ef65ce5a6c1f Mon Sep 17 00:00:00 2001 From: David Martin <[email protected]> Date: Wed, 13 Apr 2016 15:09:35 -0500 Subject: [PATCH] use SSL_CTX_set_ecdh_auto() for ecdh curve selection Use SSL_CTX_set_ecdh_auto if the OpenSSL version supports it, this allows the server to negotiate ECDH curves much like it does ciphers. Prefered curves can be specified using the existing ecdhe bind options (ecdhe secp384r1:prime256v1) --- src/ssl_sock.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 0d35c29..a1af8cd 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2756,7 +2756,13 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_cbk); SSL_CTX_set_tlsext_servername_arg(ctx, bind_conf); #endif -#if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH) +#if !defined(OPENSSL_NO_ECDH) +#if defined(SSL_CTX_set_ecdh_auto) + { + SSL_CTX_set1_curves_list(ctx, bind_conf->ecdhe); + SSL_CTX_set_ecdh_auto(ctx, 1); + } +#elif defined(SSL_CTX_set_tmp_ecdh) { int i; EC_KEY *ecdh; @@ -2774,6 +2780,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy } } #endif +#endif return cfgerr; } -- 1.9.1
