diff options
author | Giuseppe D'Angelo <giuseppe.dangelo@kdab.com> | 2014-11-27 11:03:06 +0100 |
---|---|---|
committer | Giuseppe D'Angelo <giuseppe.dangelo@kdab.com> | 2014-11-29 21:03:17 +0100 |
commit | 9431321c653e4f387d7d27c410d22aabb2d042ef (patch) | |
tree | 5497cc5e58229eabb2cfcfe288c12490e29f0ad4 /src/network/ssl/qsslcontext_openssl.cpp | |
parent | f9408317e70bc2e635a2f9baeff35d1c06227734 (diff) |
SSL: let a server choose the most appropriate curve for a client
OpenSSL 1.0.2 introduces SSL_CTX_set_ecdh_auto, which allows us
to stop using one specific temporary curve, and instead makes
the server negotiate the best curve.
Task-number: QTBUG-42925
Change-Id: I3a68f29030bdf04f368bfdf79c888401ce82bdd8
Reviewed-by: Richard J. Moore <rich@kde.org>
Diffstat (limited to 'src/network/ssl/qsslcontext_openssl.cpp')
-rw-r--r-- | src/network/ssl/qsslcontext_openssl.cpp | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/src/network/ssl/qsslcontext_openssl.cpp b/src/network/ssl/qsslcontext_openssl.cpp index e62367cef3..c1d09dce44 100644 --- a/src/network/ssl/qsslcontext_openssl.cpp +++ b/src/network/ssl/qsslcontext_openssl.cpp @@ -321,11 +321,18 @@ init_context: q_DH_free(dh); #ifndef OPENSSL_NO_EC - // Set temp ECDH params - EC_KEY *ecdh = 0; - ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh); - q_EC_KEY_free(ecdh); +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + if (q_SSLeay() >= 0x10002000L) { + q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL); + } else +#endif + { + // Set temp ECDH params + EC_KEY *ecdh = 0; + ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh); + q_EC_KEY_free(ecdh); + } #endif // OPENSSL_NO_EC const QVector<QSslEllipticCurve> qcurves = sslContext->sslConfiguration.ellipticCurves(); |