diff options
| author | Enrico Tagliavini <enrico.tagliavini@fmi.ch> | 2018-02-02 17:40:13 +0100 |
|---|---|---|
| committer | metalefty <meta@vmeta.jp> | 2018-03-01 09:57:35 +0900 |
| commit | 6cdc0f31b0be94b60fc35e8cfb6acc8d727f855b (patch) | |
| tree | d0a5fd80069bd33398b05ee8064a3f0a706954e6 | |
| parent | 793a418cfbaba13bdd08c7008c1a53b436e45f9e (diff) | |
| download | xrdp-proprietary-6cdc0f31b0be94b60fc35e8cfb6acc8d727f855b.tar.gz xrdp-proprietary-6cdc0f31b0be94b60fc35e8cfb6acc8d727f855b.zip | |
enable automatic ECDH when possible (openssl 1.0.2)
Openssl 1.1.0 and later are enabling ECDH automatically, but for older
version it must be enabled explicitly or all Perfect Forward Secrecy
ciphers will be silently ignored. See also [1]. This commit applies the
same fix as found in CnetOS 7 httpd package to enable automatic ECDH as
found in [2].
[1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
[2] https://git.centos.org/blob/rpms!httpd.git/c7/SOURCES!httpd-2.4.6-ssl-ecdh-auto.patch
| -rw-r--r-- | common/ssl_calls.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/common/ssl_calls.c b/common/ssl_calls.c index b5b9237a..bd2181c0 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -592,6 +592,9 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_options(self->ctx, options); +#if defined(SSL_CTX_set_ecdh_auto) + SSL_CTX_set_ecdh_auto(self->ctx, 1); +#endif if (g_strlen(tls_ciphers) > 1) { |