- Timestamp:
- Jul 7, 2014 6:40:01 AM (10 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
pjproject/trunk/pjlib/src/pj/ssl_sock_ossl.c
r4869 r4871 491 491 DH *dh; 492 492 long options; 493 #if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L 493 494 EC_KEY *ecdh; 495 #endif 494 496 SSL_METHOD *ssl_method; 495 497 SSL_CTX *ctx; … … 588 590 } 589 591 590 bio = BIO_new_file(cert->privkey_file.ptr, "r"); 591 if (bio != NULL) { 592 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); 593 if (dh != NULL) { 594 if (SSL_CTX_set_tmp_dh(ctx, dh)) { 595 options = SSL_OP_CIPHER_SERVER_PREFERENCE | 596 SSL_OP_SINGLE_DH_USE; 597 options = SSL_CTX_set_options(ctx, options); 598 PJ_LOG(4,(ssock->pool->obj_name, "SSL DH " 599 "initialized, PFS cipher-suites enabled")); 600 } 601 DH_free(dh); 592 if (ssock->is_server) { 593 bio = BIO_new_file(cert->privkey_file.ptr, "r"); 594 if (bio != NULL) { 595 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); 596 if (dh != NULL) { 597 if (SSL_CTX_set_tmp_dh(ctx, dh)) { 598 options = SSL_OP_CIPHER_SERVER_PREFERENCE | 599 #if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L 600 SSL_OP_SINGLE_ECDH_USE | 601 #endif 602 SSL_OP_SINGLE_DH_USE; 603 options = SSL_CTX_set_options(ctx, options); 604 PJ_LOG(4,(ssock->pool->obj_name, "SSL DH " 605 "initialized, PFS cipher-suites enabled")); 606 } 607 DH_free(dh); 608 } 609 BIO_free(bio); 602 610 } 603 BIO_free(bio);604 611 } 605 612 } 606 613 } 607 614 615 if (ssock->is_server) { 608 616 #ifndef SSL_CTRL_SET_ECDH_AUTO 609 617 #define SSL_CTRL_SET_ECDH_AUTO 94 610 618 #endif 611 612 /* SSL_CTX_set_ecdh_auto(ctx, on); requires OpenSSL 1.0.2 which wraps: */ 613 if (SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) { 614 PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized (automatic), " 615 "faster PFS ciphers enabled")); 616 } else { 617 /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */ 618 ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 619 if (ecdh != NULL) { 620 if (SSL_CTX_set_tmp_ecdh(ctx, ecdh)) { 621 PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized " 622 "(secp256r1), faster PFS cipher-suites enabled")); 619 620 /* SSL_CTX_set_ecdh_auto(ctx,on) requires OpenSSL 1.0.2 which wraps: */ 621 if (SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) { 622 PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized " 623 "(automatic), faster PFS ciphers enabled")); 624 #if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L 625 } else { 626 /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */ 627 ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 628 if (ecdh != NULL) { 629 if (SSL_CTX_set_tmp_ecdh(ctx, ecdh)) { 630 PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized " 631 "(secp256r1), faster PFS cipher-suites enabled")); 632 } 633 EC_KEY_free(ecdh); 623 634 } 624 EC_KEY_free(ecdh); 635 #endif 625 636 } 626 637 }
Note: See TracChangeset
for help on using the changeset viewer.