[sr-dev] git:master:27904530: [tls] Don't use OpenSSL<1.0.2 fallback on 1.1+

Daniel-Constantin Mierla miconda at gmail.com
Thu Apr 29 08:32:17 CEST 2021 

Module: kamailio
Branch: master
Commit: 27904530d1f8efd26e2b96fa5f18a3aad887919b
URL: https://github.com/kamailio/kamailio/commit/27904530d1f8efd26e2b96fa5f18a3aad887919b

Author: SPChan <shihping.chan at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2021-04-29T08:32:13+02:00

[tls] Don't use OpenSSL<1.0.2 fallback on 1.1+

Address GH #2716. Also see https://bugs.python.org/issue29697.

---

Modified: src/modules/tls/tls_domain.c

---

Diff:  https://github.com/kamailio/kamailio/commit/27904530d1f8efd26e2b96fa5f18a3aad887919b.diff
Patch: https://github.com/kamailio/kamailio/commit/27904530d1f8efd26e2b96fa5f18a3aad887919b.patch

---

diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c
index ab45fa7136..c2231b0db0 100644
--- a/src/modules/tls/tls_domain.c
+++ b/src/modules/tls/tls_domain.c
@@ -57,8 +57,12 @@ extern EVP_PKEY * tls_engine_private_key(const char* key_id);
  * ECDHE is enabled only on OpenSSL 1.0.0e and later.
  * See http://www.openssl.org/news/secadv_20110906.txt
  * for details.
+ * Also, copied from _ssl.c of Python for correct initialization.
+ * Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+ * prime256v1 by default.  This is Apache mod_ssl's initialization
+ * policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
  */
-#ifndef OPENSSL_NO_ECDH
+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
 static void setup_ecdh(SSL_CTX *ctx)
 {
    EC_KEY *ecdh;
@@ -69,11 +73,15 @@ static void setup_ecdh(SSL_CTX *ctx)
    }
 #endif
 
+#if defined(SSL_CTX_set_ecdh_auto)
+   SSL_CTX_set_ecdh_auto(ctx, 1);
+#else
    ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
    SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
    SSL_CTX_set_tmp_ecdh(ctx, ecdh);
 
    EC_KEY_free(ecdh);
+#endif
 }
 #endif
 
@@ -691,7 +699,7 @@ static int set_cipher_list(tls_domain_t* d)
 					tls_domain_str(d), cipher_list);
 			return -1;
 		}
-#ifndef OPENSSL_NO_ECDH
+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
                 setup_ecdh(d->ctx[i]);
 #endif
 #ifndef OPENSSL_NO_DH

More information about the sr-dev mailing list