git.kaiwu.me - nginx.git/commit

author	Maxim Dounin <mdounin@mdounin.ru>
	Thu, 19 May 2016 11:46:32 +0000 (14:46 +0300)
committer	Maxim Dounin <mdounin@mdounin.ru>
	Thu, 19 May 2016 11:46:32 +0000 (14:46 +0300)
commit	3b7dca4bb5b0938addd48dd5261a0b61d849f8f3
tree	b77058be83384318d3cbb80721f80e3b02b3b289	tree \| snapshot
parent	690423e3b2213814812ce289cb3bafb489d6f6b0	commit \| diff

SSL: support for multiple curves (ticket #885).

OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
previously supported.  This allows use of different curves depending on
what client supports (as available via the elliptic_curves extension),
and also allows use of different curves in an ECDHE key exchange and
in the ECDSA certificate.

The special value "auto" was introduced (now the default for ssl_ecdh_curve),
which means "use an internal list of curves as available in the OpenSSL
library used".  For versions prior to OpenSSL 1.0.2 it maps to "prime256v1"
as previously used.  The default in 1.0.2b+ prefers prime256v1 as well
(and X25519 in OpenSSL 1.1.0+).

As client vs. server preference of curves is controlled by the
same option as used for ciphers (SSL_OP_CIPHER_SERVER_PREFERENCE),
the ssl_prefer_server_ciphers directive now controls both.

src/event/ngx_event_openssl.c		diff \| blob \| history
src/http/modules/ngx_http_ssl_module.c		diff \| blob \| history
src/mail/ngx_mail_ssl_module.c		diff \| blob \| history
src/stream/ngx_stream_ssl_module.c		diff \| blob \| history