From 9431321c653e4f387d7d27c410d22aabb2d042ef Mon Sep 17 00:00:00 2001 From: Giuseppe D'Angelo Date: Thu, 27 Nov 2014 11:03:06 +0100 Subject: [PATCH] SSL: let a server choose the most appropriate curve for a client OpenSSL 1.0.2 introduces SSL_CTX_set_ecdh_auto, which allows us to stop using one specific temporary curve, and instead makes the server negotiate the best curve. Task-number: QTBUG-42925 Change-Id: I3a68f29030bdf04f368bfdf79c888401ce82bdd8 Reviewed-by: Richard J. Moore --- src/network/ssl/qsslcontext_openssl.cpp | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/src/network/ssl/qsslcontext_openssl.cpp b/src/network/ssl/qsslcontext_openssl.cpp index e62367cef3..c1d09dce44 100644 --- a/src/network/ssl/qsslcontext_openssl.cpp +++ b/src/network/ssl/qsslcontext_openssl.cpp @@ -321,11 +321,18 @@ init_context: q_DH_free(dh); #ifndef OPENSSL_NO_EC - // Set temp ECDH params - EC_KEY *ecdh = 0; - ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh); - q_EC_KEY_free(ecdh); +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + if (q_SSLeay() >= 0x10002000L) { + q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL); + } else +#endif + { + // Set temp ECDH params + EC_KEY *ecdh = 0; + ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh); + q_EC_KEY_free(ecdh); + } #endif // OPENSSL_NO_EC const QVector qcurves = sslContext->sslConfiguration.ellipticCurves();