{
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
#ifndef OPENSSL_NO_ECDH
- int nid;
- EC_KEY *ecdh;
/*
* Elliptic-Curve Diffie-Hellman parameters are either "named curves"
* maximum interoperability.
*/
- nid = OBJ_sn2nid((char *) name->data);
+#ifdef SSL_CTRL_SET_CURVES_LIST
+
+ /*
+ * OpenSSL 1.0.2+ allows configuring a curve list instead of a single
+ * curve previously supported. By default an internal list is used,
+ * with prime256v1 being preferred by server in OpenSSL 1.0.2b+
+ * and X25519 in OpenSSL 1.1.0+.
+ *
+ * By default a curve preferred by the client will be used for
+ * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can
+ * be used to prefer server curves instead, similar to what it
+ * does for ciphers.
+ */
+
+ SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
+
+#if SSL_CTRL_SET_ECDH_AUTO
+ /* not needed in OpenSSL 1.1.0+ */
+ SSL_CTX_set_ecdh_auto(ssl->ctx, 1);
+#endif
+
+ if (ngx_strcmp(name->data, "auto") == 0) {
+ return NGX_OK;
+ }
+
+ if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_set1_curves_list(\"%s\") failed", name->data);
+ return NGX_ERROR;
+ }
+
+#else
+
+ int nid;
+ char *curve;
+ EC_KEY *ecdh;
+
+ if (ngx_strcmp(name->data, "auto") == 0) {
+ curve = "prime256v1";
+
+ } else {
+ curve = (char *) name->data;
+ }
+
+ nid = OBJ_sn2nid(curve);
if (nid == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
- "OBJ_sn2nid(\"%s\") failed: unknown curve", name->data);
+ "OBJ_sn2nid(\"%s\") failed: unknown curve", curve);
return NGX_ERROR;
}
ecdh = EC_KEY_new_by_curve_name(nid);
if (ecdh == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
- "EC_KEY_new_by_curve_name(\"%s\") failed", name->data);
+ "EC_KEY_new_by_curve_name(\"%s\") failed", curve);
return NGX_ERROR;
}
EC_KEY_free(ecdh);
#endif
+#endif
#endif
return NGX_OK;
projects / nginx.git / commitdiff