SSL: let a server choose the most appropriate curve for a client

OpenSSL 1.0.2 introduces SSL_CTX_set_ecdh_auto, which allows us
to stop using one specific temporary curve, and instead makes
the server negotiate the best curve.

Task-number: QTBUG-42925
Change-Id: I3a68f29030bdf04f368bfdf79c888401ce82bdd8
Reviewed-by: Richard J. Moore <rich@kde.org>

1 files changed, 12 insertions, 5 deletions

diff --git a/src/network/ssl/qsslcontext_openssl.cpp b/src/network/ssl/qsslcontext_openssl.cpp
index e62367cef3..c1d09dce44 100644
--- a/src/network/ssl/qsslcontext_openssl.cpp
+++ b/src/network/ssl/qsslcontext_openssl.cpp
@@ -321,11 +321,18 @@ init_context:
     q_DH_free(dh);
 
 #ifndef OPENSSL_NO_EC
-    // Set temp ECDH params
-    EC_KEY *ecdh = 0;
-    ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-    q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh);
-    q_EC_KEY_free(ecdh);
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+    if (q_SSLeay() >= 0x10002000L) {
+        q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL);
+    } else
+#endif
+    {
+        // Set temp ECDH params
+        EC_KEY *ecdh = 0;
+        ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+        q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh);
+        q_EC_KEY_free(ecdh);
+    }
 #endif // OPENSSL_NO_EC
 
     const QVector<QSslEllipticCurve> qcurves = sslContext->sslConfiguration.ellipticCurves();