Re #1765:
- Fixed unnecessary white-space error - Limiting log message to servers - Adding SSL_OP_SINGLE_ECDH_USE optionally - OpenSSL could be built without elliptic curve support, or too old git-svn-id: https://svn.pjsip.org/repos/pjproject/trunk@4871 74dad513-b988-da41-8d7b-12977e46ad98
This commit is contained in:
parent
cd7a313a58
commit
4d41dda2ab
|
@ -490,7 +490,9 @@ static pj_status_t create_ssl(pj_ssl_sock_t *ssock)
|
|||
BIO *bio;
|
||||
DH *dh;
|
||||
long options;
|
||||
#if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L
|
||||
EC_KEY *ecdh;
|
||||
#endif
|
||||
SSL_METHOD *ssl_method;
|
||||
SSL_CTX *ctx;
|
||||
pj_ssl_cert_t *cert;
|
||||
|
@ -587,41 +589,50 @@ static pj_status_t create_ssl(pj_ssl_sock_t *ssock)
|
|||
return status;
|
||||
}
|
||||
|
||||
bio = BIO_new_file(cert->privkey_file.ptr, "r");
|
||||
if (bio != NULL) {
|
||||
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
||||
if (dh != NULL) {
|
||||
if (SSL_CTX_set_tmp_dh(ctx, dh)) {
|
||||
options = SSL_OP_CIPHER_SERVER_PREFERENCE |
|
||||
SSL_OP_SINGLE_DH_USE;
|
||||
options = SSL_CTX_set_options(ctx, options);
|
||||
PJ_LOG(4,(ssock->pool->obj_name, "SSL DH "
|
||||
"initialized, PFS cipher-suites enabled"));
|
||||
}
|
||||
DH_free(dh);
|
||||
if (ssock->is_server) {
|
||||
bio = BIO_new_file(cert->privkey_file.ptr, "r");
|
||||
if (bio != NULL) {
|
||||
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
||||
if (dh != NULL) {
|
||||
if (SSL_CTX_set_tmp_dh(ctx, dh)) {
|
||||
options = SSL_OP_CIPHER_SERVER_PREFERENCE |
|
||||
#if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L
|
||||
SSL_OP_SINGLE_ECDH_USE |
|
||||
#endif
|
||||
SSL_OP_SINGLE_DH_USE;
|
||||
options = SSL_CTX_set_options(ctx, options);
|
||||
PJ_LOG(4,(ssock->pool->obj_name, "SSL DH "
|
||||
"initialized, PFS cipher-suites enabled"));
|
||||
}
|
||||
DH_free(dh);
|
||||
}
|
||||
BIO_free(bio);
|
||||
}
|
||||
BIO_free(bio);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (ssock->is_server) {
|
||||
#ifndef SSL_CTRL_SET_ECDH_AUTO
|
||||
#define SSL_CTRL_SET_ECDH_AUTO 94
|
||||
#endif
|
||||
|
||||
/* SSL_CTX_set_ecdh_auto(ctx, on); requires OpenSSL 1.0.2 which wraps: */
|
||||
if (SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {
|
||||
PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized (automatic), "
|
||||
"faster PFS ciphers enabled"));
|
||||
} else {
|
||||
/* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
|
||||
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
||||
if (ecdh != NULL) {
|
||||
if (SSL_CTX_set_tmp_ecdh(ctx, ecdh)) {
|
||||
PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized "
|
||||
"(secp256r1), faster PFS cipher-suites enabled"));
|
||||
|
||||
/* SSL_CTX_set_ecdh_auto(ctx,on) requires OpenSSL 1.0.2 which wraps: */
|
||||
if (SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {
|
||||
PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized "
|
||||
"(automatic), faster PFS ciphers enabled"));
|
||||
#if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L
|
||||
} else {
|
||||
/* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
|
||||
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
||||
if (ecdh != NULL) {
|
||||
if (SSL_CTX_set_tmp_ecdh(ctx, ecdh)) {
|
||||
PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized "
|
||||
"(secp256r1), faster PFS cipher-suites enabled"));
|
||||
}
|
||||
EC_KEY_free(ecdh);
|
||||
}
|
||||
EC_KEY_free(ecdh);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue