Hey,
it looks that the new OpenSSL API is more powerful than I originally
expected, much better patch attached.
Any chances for this getting in before OpenSSL-1.0.2 is released?
Best reagards,
Piotr Sikora
# HG changeset patch
# User Piotr Sikora <pi...@cloudflare.com>
# Date 1383560410 28800
# Mon Nov 04 02:20:10 2013 -0800
# Node ID 3da92dd8525d7c6155e230d8f367ee9defcff01d
# Parent dea321e5c0216efccbb23e84bbce7cf3e28f130c
SSL: support automatic selection of ECDH temporary key parameters.
The colon separated list of supported curves can be provided using
either curve NIDs:
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
or names:
ssl_ecdh_curve P-521:P-384:P-256;
Signed-off-by: Piotr Sikora <pi...@cloudflare.com>
diff -r dea321e5c021 -r 3da92dd8525d src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu Oct 31 18:23:49 2013 +0400
+++ b/src/event/ngx_event_openssl.c Mon Nov 04 02:20:10 2013 -0800
@@ -679,6 +679,25 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s
{
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
#ifndef OPENSSL_NO_ECDH
+#ifdef SSL_CTRL_SET_ECDH_AUTO
+
+ if (SSL_CTX_set1_curves_list(ssl->ctx, name->data) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "Unknown curve in \"%s\"", name->data);
+ return NGX_ERROR;
+ }
+
+ if (SSL_CTX_set_ecdh_auto(ssl->ctx, 1) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "Unable to set automatic curve selection for \"%s\"",
+ name->data);
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+
+#else
+
int nid;
EC_KEY *ecdh;
@@ -708,6 +727,8 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s
SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);
EC_KEY_free(ecdh);
+
+#endif
#endif
#endif
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
