commit 0a49f29e1042305bb90177bf1af43a3ab199c2d5
parent dde4f9f75a755664a51b4d95242a0c5b2a346e59
Author: Joris Vink <joris@coders.se>
Date: Tue, 24 Sep 2013 08:58:05 +0200
Add support for ECDH and provide a better ssl_cipher set by default.
Diffstat:
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/modules/example/module.conf b/modules/example/module.conf
@@ -43,7 +43,7 @@ workers 4
load modules/example/example.module
# Specify the SSL ciphers that will be used.
-#ssl_cipher HIGH:!aNULL:!MD5;
+#ssl_cipher EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
# If you wish to use ephemeral key exchanges specify a file containing
# a generated DH key (See OpenSSL dhparam).
diff --git a/src/domain.c b/src/domain.c
@@ -55,6 +55,10 @@ kore_domain_new(char *domain)
void
kore_domain_sslstart(struct kore_domain *dom)
{
+#if !defined(OPENSSL_NO_EC)
+ EC_KEY *ecdh;
+#endif
+
kore_debug("kore_domain_sslstart(%s)", dom->domain);
dom->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
@@ -77,6 +81,13 @@ kore_domain_sslstart(struct kore_domain *dom)
if (ssl_dhparam != NULL) {
SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam);
SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE);
+
+#if !defined(OPENSSL_NO_EC)
+ if ((ecdh = EC_KEY_new_by_curve_name(NID_secp384r1)) != NULL) {
+ SSL_CTX_set_tmp_ecdh(dom->ssl_ctx, ecdh);
+ EC_KEY_free(ecdh);
+ }
+#endif
}
if (ssl_no_compression)
