From: Jim Jagielski Date: Mon, 17 Feb 2014 14:11:38 +0000 (+0000) Subject: Merge r1563420 from trunk: X-Git-Tag: 2.4.8~110 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3eced4f81172bfe9c3d8bf72ab5bba4dc18abd66;p=apache Merge r1563420 from trunk: enable auto curve selection for ephemeral ECDH keys when compiled against OpenSSL 1.0.2 or later Submitted by: kbrand Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1569005 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/STATUS b/STATUS index 6a36087a25..1d4081210f 100644 --- a/STATUS +++ b/STATUS @@ -98,11 +98,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_ssl: enable auto curve selection for ECDHE / OpenSSL 1.0.2 - trunk patch: https://svn.apache.org/r1563420 - 2.4.x patch: trunk patch works - +1: kbrand, drh, ylavic - * mod_remoteip: Correct the trusted proxy match test. PR54651 trunk patch: https://svn.apache.org/r1564052 2.4.x patch: trunk works diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index e4f461d037..fd95a51290 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1083,11 +1083,16 @@ static apr_status_t ssl_init_server_certs(server_rec *s, OBJ_nid2sn(nid), vhost_id, mctx->pks->cert_files[0]); } /* - * ...otherwise, configure NIST P-256 (required to enable ECDHE) + * ...otherwise, enable auto curve selection (OpenSSL 1.0.2 and later) + * or configure NIST P-256 (required to enable ECDHE for earlier versions) */ else { +#if defined(SSL_CTX_set_ecdh_auto) + SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1); +#else SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); +#endif } #endif