On 02/16/2017 11:27 PM, wr...@apache.org wrote: > Author: wrowe > Date: Thu Feb 16 22:27:24 2017 > New Revision: 1783317 > > URL: http://svn.apache.org/viewvc?rev=1783317&view=rev > Log: > Avoid unnecessary code (the deprecation macro wrapper itself emits unused args > warnings) in OpenSSL 1.1.0 and avoid _free()ing NULL references. > > > Modified: > httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1783317&r1=1783316&r2=1783317&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Thu Feb 16 22:27:24 2017 > @@ -1320,19 +1320,24 @@ static apr_status_t ssl_init_server_cert > OBJ_nid2sn(nid), vhost_id, certfile); > } > /* > - * ...otherwise, enable auto curve selection (OpenSSL 1.0.2 and later) > + * ...otherwise, enable auto curve selection (OpenSSL 1.0.2) > * or configure NIST P-256 (required to enable ECDHE for earlier > versions) > + * ECDH is always enabled in 1.0.2 unless excluded from SSLCipherList
Shouldn't that be 1.1.0 above instead of 1.0.2? > */ > +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) > else { > -#if defined(SSL_CTX_set_ecdh_auto) > +#elif defined(SSL_CTX_set_ecdh_auto) > SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1); > #else > eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); > SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey); > #endif > } > - EC_KEY_free(eckey); > - EC_GROUP_free(ecparams); > +#endif > + if (eckey) > + EC_KEY_free(eckey); > + if (ecparams) > + EC_GROUP_free(ecparams); > #endif > > return APR_SUCCESS; > > > Regards RĂ¼diger