proxmox-mirrors/pve-http-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-http-server synced 2025-06-30 21:12:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix #1332: allow ECDHE with all supported curves

Browse Source 
with openssl 1.0.1, we had to limit ourself to one curve to
allow ECDHE at all.

with openssl 1.1.x, the same limit actually means only
allowing ECDSA certificates using that curve, even for
non-ephemeral ECDH handshakes, effectively only allowing
prime256 EC certificates.

since openssl 1.1.x supports auto-negotiation of the curve
used for ECDHE, simply use that for now.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2017-03-30 11:54:39 +02:00 committed by Wolfgang Bumiller
parent 01659eceac
commit 10f9a4b775
1 changed files with 0 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
PVE/APIServer/AnyEvent.pm
View File

@ -1616,15 +1616,7 @@ sub new {
if ($self->{ssl}) { if ($self->{ssl}) {
$self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}}); $self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
# TODO : openssl >= 1.0.2 supports SSL_CTX_set_ecdh_auto to select a curve depending on
# server and client availability from SSL_CTX_set1_curves.
# that way other curves like 25519 can be used.
# openssl 1.0.1 can only support 1 curve at a time.
my $curve = Net::SSLeay::OBJ_txt2nid('prime256v1');
my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve);
Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE); Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE);
Net::SSLeay::CTX_set_tmp_ecdh($self->{tls_ctx}->{ctx}, $ecdh);
Net::SSLeay::EC_KEY_free($ecdh);
} }
if ($self->{spiceproxy}) { if ($self->{spiceproxy}) {