sysmocom
/
pjproject
11
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Re #1765: 

- Fixed unnecessary white-space error
 - Limiting log message to servers
 - Adding SSL_OP_SINGLE_ECDH_USE optionally
 - OpenSSL could be built without elliptic curve support, or too old



git-svn-id: https://svn.pjsip.org/repos/pjproject/trunk@4871 74dad513-b988-da41-8d7b-12977e46ad98
This commit is contained in:
Riza Sulistyo 2014-07-07 06:40:01 +00:00
parent cd7a313a58
commit 4d41dda2ab
1 changed files with 37 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
pjlib/src/pj/ssl_sock_ossl.c
View File

@ -490,7 +490,9 @@ static pj_status_t create_ssl(pj_ssl_sock_t *ssock)
BIO *bio;
DH *dh;
long options;
#if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L
EC_KEY *ecdh;
#endif
SSL_METHOD *ssl_method;
SSL_CTX *ctx;
pj_ssl_cert_t *cert;
@ -587,41 +589,50 @@ static pj_status_t create_ssl(pj_ssl_sock_t *ssock)
return status;
}
bio = BIO_new_file(cert->privkey_file.ptr, "r");
if (bio != NULL) {
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
if (dh != NULL) {
if (SSL_CTX_set_tmp_dh(ctx, dh)) {
options = SSL_OP_CIPHER_SERVER_PREFERENCE |
SSL_OP_SINGLE_DH_USE;
options = SSL_CTX_set_options(ctx, options);
PJ_LOG(4,(ssock->pool->obj_name, "SSL DH "
"initialized, PFS cipher-suites enabled"));
}
DH_free(dh);
if (ssock->is_server) {
bio = BIO_new_file(cert->privkey_file.ptr, "r");
if (bio != NULL) {
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
if (dh != NULL) {
if (SSL_CTX_set_tmp_dh(ctx, dh)) {
options = SSL_OP_CIPHER_SERVER_PREFERENCE |
#if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L
SSL_OP_SINGLE_ECDH_USE |
#endif
SSL_OP_SINGLE_DH_USE;
options = SSL_CTX_set_options(ctx, options);
PJ_LOG(4,(ssock->pool->obj_name, "SSL DH "
"initialized, PFS cipher-suites enabled"));
}
DH_free(dh);
}
BIO_free(bio);
}
BIO_free(bio);
}
}
}
if (ssock->is_server) {
#ifndef SSL_CTRL_SET_ECDH_AUTO
#define SSL_CTRL_SET_ECDH_AUTO 94
#endif
/* SSL_CTX_set_ecdh_auto(ctx, on); requires OpenSSL 1.0.2 which wraps: */
if (SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {
PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized (automatic), "
"faster PFS ciphers enabled"));
} else {
/* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ecdh != NULL) {
if (SSL_CTX_set_tmp_ecdh(ctx, ecdh)) {
PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized "
"(secp256r1), faster PFS cipher-suites enabled"));
/* SSL_CTX_set_ecdh_auto(ctx,on) requires OpenSSL 1.0.2 which wraps: */
if (SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {
PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized "
"(automatic), faster PFS ciphers enabled"));
#if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L
} else {
/* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ecdh != NULL) {
if (SSL_CTX_set_tmp_ecdh(ctx, ecdh)) {
PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized "
"(secp256r1), faster PFS cipher-suites enabled"));
}
EC_KEY_free(ecdh);
}
EC_KEY_free(ecdh);
#endif
}
}