From: Michael Friedrich <michael.friedrich@icinga.com>
Date: Tue, 30 Jul 2019 07:43:14 +0000 (+0200)
Subject: Fix el7 not loading ECDHE cipher suites
X-Git-Tag: v2.10.6~1^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cbd0731578beb887a47128b0e1273d092d5d0a16;p=icinga2

Fix el7 not loading ECDHE cipher suites

This is a combined patch from git master for 2.10 and before.

refs #7247
refs #7366
---

diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
index 306d2941f..32fc63682 100644
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@@ -101,6 +101,14 @@ std::shared_ptr<SSL_CTX> MakeSSLContext(const String& pubkey, const String& priv
 	SSL_CTX_set_mode(sslContext.get(), SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 	SSL_CTX_set_session_id_context(sslContext.get(), (const unsigned char *)"Icinga 2", 8);
 
+	// Explicitly load ECC ciphers, required on el7 - https://github.com/Icinga/icinga2/issues/7247
+	// SSL_CTX_set_ecdh_auto is deprecated and removed in OpenSSL 1.1.x - https://github.com/openssl/openssl/issues/1437
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#	ifdef SSL_CTX_set_ecdh_auto
+	SSL_CTX_set_ecdh_auto(sslContext.get(), 1);
+#	endif /* SSL_CTX_set_ecdh_auto */
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
 	if (!pubkey.IsEmpty()) {
 		if (!SSL_CTX_use_certificate_chain_file(sslContext.get(), pubkey.CStr())) {
 			Log(LogCritical, "SSL")