Module: kamailio Branch: master Commit: 27904530d1f8efd26e2b96fa5f18a3aad887919b URL: https://github.com/kamailio/kamailio/commit/27904530d1f8efd26e2b96fa5f18a3aa...
Author: SPChan shihping.chan@gmail.com Committer: Daniel-Constantin Mierla miconda@gmail.com Date: 2021-04-29T08:32:13+02:00
[tls] Don't use OpenSSL<1.0.2 fallback on 1.1+
Address GH #2716. Also see https://bugs.python.org/issue29697.
---
Modified: src/modules/tls/tls_domain.c
---
Diff: https://github.com/kamailio/kamailio/commit/27904530d1f8efd26e2b96fa5f18a3aa... Patch: https://github.com/kamailio/kamailio/commit/27904530d1f8efd26e2b96fa5f18a3aa...
---
diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c index ab45fa7136..c2231b0db0 100644 --- a/src/modules/tls/tls_domain.c +++ b/src/modules/tls/tls_domain.c @@ -57,8 +57,12 @@ extern EVP_PKEY * tls_engine_private_key(const char* key_id); * ECDHE is enabled only on OpenSSL 1.0.0e and later. * See http://www.openssl.org/news/secadv_20110906.txt * for details. + * Also, copied from _ssl.c of Python for correct initialization. + * Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use + * prime256v1 by default. This is Apache mod_ssl's initialization + * policy, so we should be safe. OpenSSL 1.1 has it enabled by default. */ -#ifndef OPENSSL_NO_ECDH +#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1) static void setup_ecdh(SSL_CTX *ctx) { EC_KEY *ecdh; @@ -69,11 +73,15 @@ static void setup_ecdh(SSL_CTX *ctx) } #endif
+#if defined(SSL_CTX_set_ecdh_auto) + SSL_CTX_set_ecdh_auto(ctx, 1); +#else ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh); +#endif } #endif
@@ -691,7 +699,7 @@ static int set_cipher_list(tls_domain_t* d) tls_domain_str(d), cipher_list); return -1; } -#ifndef OPENSSL_NO_ECDH +#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1) setup_ecdh(d->ctx[i]); #endif #ifndef OPENSSL_NO_DH