Browse code

[tls] Don't use OpenSSL<1.0.2 fallback on 1.1+

Address GH #2716. Also see https://bugs.python.org/issue29697.

(cherry picked from commit 27904530d1f8efd26e2b96fa5f18a3aad887919b)
(cherry picked from commit 1c7a8459f1a5b0f4d96f3908a301b599d5e24dc3)
(cherry picked from commit 1142d5470d40801743af2fd9e27213bae6c394f4)

SPChan authored on 27/04/2021 16:51:22 • Henning Westerholt committed on 22/10/2021 11:54:01
Showing 1 changed files
... ...
@@ -54,8 +54,12 @@ extern EVP_PKEY * tls_engine_private_key(const char* key_id);
54 54
  * ECDHE is enabled only on OpenSSL 1.0.0e and later.
55 55
  * See http://www.openssl.org/news/secadv_20110906.txt
56 56
  * for details.
57
+ * Also, copied from _ssl.c of Python for correct initialization.
58
+ * Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
59
+ * prime256v1 by default.  This is Apache mod_ssl's initialization
60
+ * policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
57 61
  */
58
-#ifndef OPENSSL_NO_ECDH
62
+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
59 63
 static void setup_ecdh(SSL_CTX *ctx)
60 64
 {
61 65
    EC_KEY *ecdh;
... ...
@@ -64,11 +68,15 @@ static void setup_ecdh(SSL_CTX *ctx)
64 68
       return;
65 69
    }
66 70
 
71
+#if defined(SSL_CTX_set_ecdh_auto)
72
+   SSL_CTX_set_ecdh_auto(ctx, 1);
73
+#else
67 74
    ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
68 75
    SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
69 76
    SSL_CTX_set_tmp_ecdh(ctx, ecdh);
70 77
 
71 78
    EC_KEY_free(ecdh);
79
+#endif
72 80
 }
73 81
 #endif
74 82
 
... ...
@@ -665,7 +673,7 @@ static int set_cipher_list(tls_domain_t* d)
665 673
 					tls_domain_str(d), cipher_list);
666 674
 			return -1;
667 675
 		}
668
-#ifndef OPENSSL_NO_ECDH
676
+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
669 677
                 setup_ecdh(d->ctx[i]);
670 678
 #endif
671 679
 #ifndef OPENSSL_NO_DH