From 6c60d0d66ea4b7dcfeb4e04d7cee3b47d1b629bc Mon Sep 17 00:00:00 2001 From: Gerhard Rieger Date: Thu, 2 Apr 2015 18:00:57 +0200 Subject: [PATCH] Added OpenSSL server side EDHCE cipher support --- CHANGES | 9 ++++++--- xio-openssl.c | 22 ++++++++++++++++++++++ 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 6cacfab..6a7b863 100644 --- a/CHANGES +++ b/CHANGES @@ -330,6 +330,9 @@ porting: Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h on Illumos + Changes for Openindiana: define _XPG4_2, __EXTENSIONS__, + _POSIX_PTHREAD_SEMANTICS; and minor changes + Red Hat issue 1182005: socat 1.7.2.4 build failure missing linux/errqueue.h Socat failed to compile on on PPC due to new requirements for @@ -338,9 +341,6 @@ porting: Use 'environ' variable only when provided by runtime - Changes for Openindiana: define _XPG4_2, __EXTENSIONS__, - _POSIX_PTHREAD_SEMANTICS; and minor changes - new features: added option max-children that limits the number of concurrent child processes. Thanks to Sam Liddicott for providing the patch. @@ -361,6 +361,9 @@ new features: Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1 Tests: OPENSSL_METHOD_* + Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested + by Andrey Arapov. + Added a new option termios-rawer for ptys. Thanks to Christian Vogelgsang for pointing me to this requirement diff --git a/xio-openssl.c b/xio-openssl.c index 25e47d7..e519eaf 100644 --- a/xio-openssl.c +++ b/xio-openssl.c @@ -1093,6 +1093,28 @@ int } } + { + /* see http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html */ + int nid; + EC_KEY *ecdh; + +#if 0 + nid = OBJ_sn2nid(ECDHE_CURVE); + if (nid == NID_undef) { + Error("openssl: failed to set ECDHE parameters"); + return -1; + } +#endif + nid = NID_X9_62_prime256v1; + ecdh = EC_KEY_new_by_curve_name(nid); + if (NULL == ecdh) { + Error("openssl: failed to set ECDHE parameters"); + return -1; + } + + SSL_CTX_set_tmp_ecdh(*ctx, ecdh); + } + #if OPENSSL_VERSION_NUMBER >= 0x00908000L if (opt_compress) { int result;