kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit 0a49f29e1042305bb90177bf1af43a3ab199c2d5
parent dde4f9f75a755664a51b4d95242a0c5b2a346e59
Author: Joris Vink <joris@coders.se>
Date:   Tue, 24 Sep 2013 08:58:05 +0200

Add support for ECDH and provide a better ssl_cipher set by default.

Diffstat:
modules/example/module.conf | 2+-
src/domain.c | 11+++++++++++
2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/modules/example/module.conf b/modules/example/module.conf @@ -43,7 +43,7 @@ workers 4 load modules/example/example.module # Specify the SSL ciphers that will be used. -#ssl_cipher HIGH:!aNULL:!MD5; +#ssl_cipher EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5 # If you wish to use ephemeral key exchanges specify a file containing # a generated DH key (See OpenSSL dhparam). diff --git a/src/domain.c b/src/domain.c @@ -55,6 +55,10 @@ kore_domain_new(char *domain) void kore_domain_sslstart(struct kore_domain *dom) { +#if !defined(OPENSSL_NO_EC) + EC_KEY *ecdh; +#endif + kore_debug("kore_domain_sslstart(%s)", dom->domain); dom->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); @@ -77,6 +81,13 @@ kore_domain_sslstart(struct kore_domain *dom) if (ssl_dhparam != NULL) { SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam); SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE); + +#if !defined(OPENSSL_NO_EC) + if ((ecdh = EC_KEY_new_by_curve_name(NID_secp384r1)) != NULL) { + SSL_CTX_set_tmp_ecdh(dom->ssl_ctx, ecdh); + EC_KEY_free(ecdh); + } +#endif } if (ssl_no_compression)