Welcome! Log In Create A New Profile

Re: [PATCH] SSL: support automatic selection of ECDH temporary key parameters

Forum List Message List New Topic Print View

Piotr Sikora

November 04, 2013 05:30AM

Hey,
it looks that the new OpenSSL API is more powerful than I originally
expected, much better patch attached.

Any chances for this getting in before OpenSSL-1.0.2 is released?

Best reagards,
Piotr Sikora

# HG changeset patch
# User Piotr Sikora <piotr@cloudflare.com>
# Date 1383560410 28800
# Mon Nov 04 02:20:10 2013 -0800
# Node ID 3da92dd8525d7c6155e230d8f367ee9defcff01d
# Parent dea321e5c0216efccbb23e84bbce7cf3e28f130c
SSL: support automatic selection of ECDH temporary key parameters.

The colon separated list of supported curves can be provided using
either curve NIDs:

ssl_ecdh_curve secp521r1:secp384r1:prime256v1;

or names:

ssl_ecdh_curve P-521:P-384:P-256;

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>

diff -r dea321e5c021 -r 3da92dd8525d src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu Oct 31 18:23:49 2013 +0400
+++ b/src/event/ngx_event_openssl.c Mon Nov 04 02:20:10 2013 -0800
@@ -679,6 +679,25 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s
{
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
#ifndef OPENSSL_NO_ECDH
+#ifdef SSL_CTRL_SET_ECDH_AUTO
+
+ if (SSL_CTX_set1_curves_list(ssl->ctx, name->data) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "Unknown curve in \"%s\"", name->data);
+ return NGX_ERROR;
+ }
+
+ if (SSL_CTX_set_ecdh_auto(ssl->ctx, 1) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "Unable to set automatic curve selection for \"%s\"",
+ name->data);
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+
+#else
+
int nid;
EC_KEY *ecdh;

@@ -708,6 +727,8 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s
SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);

EC_KEY_free(ecdh);
+
+#endif
#endif
#endif

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] SSL: support automatic selection of ECDH temporary key parameters	Piotr Sikora	1719	August 05, 2013 04:54PM
Re: [PATCH] SSL: support automatic selection of ECDH temporary key parameters	Piotr Sikora	1097	November 04, 2013 05:30AM
Re: [PATCH] SSL: support automatic selection of ECDH temporary key parameters	Piotr Sikora	870	November 04, 2013 04:16PM
Re: [PATCH] SSL: support automatic selection of ECDH temporary key parameters	Piotr Sikora	770	December 13, 2013 05:22PM
Re: [PATCH] SSL: support automatic selection of ECDH temporary key parameters	Piotr Sikora	800	January 30, 2014 06:24PM
Re: [PATCH] SSL: support automatic selection of ECDH temporary key parameters	Maxim Dounin	1037	April 01, 2014 01:02PM
Re: [PATCH] SSL: support automatic selection of ECDH temporary key parameters	Piotr Sikora	1168	April 06, 2014 10:10PM
Re: [PATCH] SSL: support automatic selection of ECDH temporary key parameters	Maxim Dounin	1939	April 07, 2014 07:28AM
Re: [PATCH] SSL: support automatic selection of ECDH temporary key parameters	Piotr Sikora	623	April 15, 2014 03:46PM
Re: [PATCH] SSL: support automatic selection of ECDH temporary key parameters	Maxim Dounin	682	April 16, 2014 06:02AM
Re: [PATCH] SSL: support automatic selection of ECDH temporary key parameters	Piotr Sikora	1053	April 22, 2014 08:00AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 110

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018