res/res_rtp_asterisk: Add ECDH support

This will add ECDH support to Asterisk. It will detect auto ECDH support in OpenSSL (1.0.2b and above) during ./configure. If this is available, it will use it, otherwise it will fall back to prime256v1 (this behavior is consistent with other projects such as Apache and nginx). This fixes WebRTC being broken in Firefox 38+ due to Firefox now only supporting ciphers with perfect forward secrecy. ASTERISK-25265 #close Change-Id: I8c13b33a2a79c0bde2e69e4ba6afa5ab9351465b
author: Mark Duncan <mark@syon.co.jp> 2015-07-28 19:33:39 +0900
committer: Matt Jordan <mjordan@digium.com> 2015-08-03 09:58:02 -0500
commit: aed068844c1c9748da9c67b74ea4d90622be8f46 (patch)
tree: 96c90bc89a571a6cec4ffdce7480d70752b46eb6 /res/res_rtp_asterisk.c
parent: 20ee33e22e3724c35ab3078c5032b87af5b4920c (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
index 5d206c1a0..0c47e1e25 100644
--- a/res/res_rtp_asterisk.c
+++ b/res/res_rtp_asterisk.c
@@ -1288,6 +1288,13 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
 
 	SSL_CTX_set_read_ahead(rtp->ssl_ctx, 1);
 
+#ifdef HAVE_OPENSSL_ECDH_AUTO
+	SSL_CTX_set_ecdh_auto(rtp->ssl_ctx, 1);
+#else
+	SSL_CTX_set_tmp_ecdh(rtp->ssl_ctx,
+		EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+#endif
+
 	rtp->dtls_verify = dtls_cfg->verify;
 
 	SSL_CTX_set_verify(rtp->ssl_ctx, (rtp->dtls_verify & AST_RTP_DTLS_VERIFY_FINGERPRINT) || (rtp->dtls_verify & AST_RTP_DTLS_VERIFY_CERTIFICATE) ?
author	Mark Duncan <mark@syon.co.jp>	2015-07-28 19:33:39 +0900
committer	Matt Jordan <mjordan@digium.com>	2015-08-03 09:58:02 -0500
commit	aed068844c1c9748da9c67b74ea4d90622be8f46 (patch)
tree	96c90bc89a571a6cec4ffdce7480d70752b46eb6 /res/res_rtp_asterisk.c
parent	20ee33e22e3724c35ab3078c5032b87af5b4920c (diff)