From 08e171b10ff34f6eff82d1d81ed3859b7209dd2b Mon Sep 17 00:00:00 2001 From: Riza Sulistyo Date: Mon, 7 Jul 2014 06:40:01 +0000 Subject: Re #1765: - Fixed unnecessary white-space error - Limiting log message to servers - Adding SSL_OP_SINGLE_ECDH_USE optionally - OpenSSL could be built without elliptic curve support, or too old git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@4871 74dad513-b988-da41-8d7b-12977e46ad98 --- pjlib/src/pj/ssl_sock_ossl.c | 63 ++++++++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 26 deletions(-) diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c index 9f83a0db..0d9f8a4f 100644 --- a/pjlib/src/pj/ssl_sock_ossl.c +++ b/pjlib/src/pj/ssl_sock_ossl.c @@ -490,7 +490,9 @@ static pj_status_t create_ssl(pj_ssl_sock_t *ssock) BIO *bio; DH *dh; long options; +#if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L EC_KEY *ecdh; +#endif SSL_METHOD *ssl_method; SSL_CTX *ctx; pj_ssl_cert_t *cert; @@ -587,41 +589,50 @@ static pj_status_t create_ssl(pj_ssl_sock_t *ssock) return status; } - bio = BIO_new_file(cert->privkey_file.ptr, "r"); - if (bio != NULL) { - dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); - if (dh != NULL) { - if (SSL_CTX_set_tmp_dh(ctx, dh)) { - options = SSL_OP_CIPHER_SERVER_PREFERENCE | - SSL_OP_SINGLE_DH_USE; - options = SSL_CTX_set_options(ctx, options); - PJ_LOG(4,(ssock->pool->obj_name, "SSL DH " - "initialized, PFS cipher-suites enabled")); - } - DH_free(dh); + if (ssock->is_server) { + bio = BIO_new_file(cert->privkey_file.ptr, "r"); + if (bio != NULL) { + dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + if (dh != NULL) { + if (SSL_CTX_set_tmp_dh(ctx, dh)) { + options = SSL_OP_CIPHER_SERVER_PREFERENCE | + #if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L + SSL_OP_SINGLE_ECDH_USE | + #endif + SSL_OP_SINGLE_DH_USE; + options = SSL_CTX_set_options(ctx, options); + PJ_LOG(4,(ssock->pool->obj_name, "SSL DH " + "initialized, PFS cipher-suites enabled")); + } + DH_free(dh); + } + BIO_free(bio); } - BIO_free(bio); } } } + if (ssock->is_server) { #ifndef SSL_CTRL_SET_ECDH_AUTO #define SSL_CTRL_SET_ECDH_AUTO 94 #endif - - /* SSL_CTX_set_ecdh_auto(ctx, on); requires OpenSSL 1.0.2 which wraps: */ - if (SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) { - PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized (automatic), " - "faster PFS ciphers enabled")); - } else { - /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */ - ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if (ecdh != NULL) { - if (SSL_CTX_set_tmp_ecdh(ctx, ecdh)) { - PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized " - "(secp256r1), faster PFS cipher-suites enabled")); + + /* SSL_CTX_set_ecdh_auto(ctx,on) requires OpenSSL 1.0.2 which wraps: */ + if (SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) { + PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized " + "(automatic), faster PFS ciphers enabled")); + #if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L + } else { + /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */ + ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (ecdh != NULL) { + if (SSL_CTX_set_tmp_ecdh(ctx, ecdh)) { + PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized " + "(secp256r1), faster PFS cipher-suites enabled")); + } + EC_KEY_free(ecdh); } - EC_KEY_free(ecdh); + #endif } } -- cgit v1.2.3