Merge r1563420 from trunk:

enable auto curve selection for ephemeral ECDH keys
when compiled against OpenSSL 1.0.2 or later

Submitted by: kbrand
Reviewed/backported by: jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1569005 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index 6a36087a251f6fc3a653d5a90f8b78c3300f3eb4..1d4081210f8cd555f14549eda43cf42c02d6511d 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -98,11 +98,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: enable auto curve selection for ECDHE / OpenSSL 1.0.2
-     trunk patch: https://svn.apache.org/r1563420
-     2.4.x patch: trunk patch works
-     +1: kbrand, drh, ylavic
-
    * mod_remoteip: Correct the trusted proxy match test. PR54651
      trunk patch: https://svn.apache.org/r1564052
      2.4.x patch: trunk works

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index e4f461d0379eea21b73aeb41d8e696819644265a..fd95a512906095d0a37736dc494666c8be77e73a 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1083,11 +1083,16 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
                      OBJ_nid2sn(nid), vhost_id, mctx->pks->cert_files[0]);
     }
     /*
-     * ...otherwise, configure NIST P-256 (required to enable ECDHE)
+     * ...otherwise, enable auto curve selection (OpenSSL 1.0.2 and later)
+     * or configure NIST P-256 (required to enable ECDHE for earlier versions)
      */
     else {
+#if defined(SSL_CTX_set_ecdh_auto)
+        SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
+#else
         SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
                              EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+#endif
     }
 #endif