From 6cdc0f31b0be94b60fc35e8cfb6acc8d727f855b Mon Sep 17 00:00:00 2001
From: Enrico Tagliavini <enrico.tagliavini@fmi.ch>
Date: Fri, 2 Feb 2018 17:40:13 +0100
Subject: [PATCH] enable automatic ECDH when possible (openssl 1.0.2)

Openssl 1.1.0 and later are enabling ECDH automatically, but for older
version it must be enabled explicitly or all Perfect Forward Secrecy
ciphers will be silently ignored. See also [1]. This commit applies the
same fix as found in CnetOS 7 httpd package to enable automatic ECDH as
found in [2].

[1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
[2] https://git.centos.org/blob/rpms!httpd.git/c7/SOURCES!httpd-2.4.6-ssl-ecdh-auto.patch
---
 common/ssl_calls.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/common/ssl_calls.c b/common/ssl_calls.c
index b5b9237a..bd2181c0 100644
--- a/common/ssl_calls.c
+++ b/common/ssl_calls.c
@@ -592,6 +592,9 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols,
                      SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
                      SSL_MODE_ENABLE_PARTIAL_WRITE);
     SSL_CTX_set_options(self->ctx, options);
+#if defined(SSL_CTX_set_ecdh_auto)
+    SSL_CTX_set_ecdh_auto(self->ctx, 1);
+#endif
 
     if (g_strlen(tls_ciphers) > 1)
     {