From 9c923687746294293473c25f2821253a9f18b469 Mon Sep 17 00:00:00 2001
From: Michael Friedrich <michael.friedrich@icinga.com>
Date: Tue, 18 Jun 2019 14:58:19 +0200
Subject: [PATCH] SSL Context: Explicitly load ECC ciphers on el7

Otherwise curl/nss as client won't be able to use the
new default cipher list.

fixes #7247
---
 lib/base/tlsutility.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
index a3edc8758..3bde27a7a 100644
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@@ -73,6 +73,9 @@ static void SetupSslContext(SSL_CTX *sslContext, const String& pubkey, const Str
 	SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 	SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)"Icinga 2", 8);
 
+	// Explicitly load ECC ciphers, required on el7 - https://github.com/Icinga/icinga2/issues/7247
+	SSL_CTX_set_ecdh_auto(sslContext, 1);
+
 	if (!pubkey.IsEmpty()) {
 		if (!SSL_CTX_use_certificate_chain_file(sslContext, pubkey.CStr())) {
 			Log(LogCritical, "SSL")
-- 
2.40.0