Changeset 4871 for pjproject/trunk/pjlib/src/pj/ssl_sock_ossl.c

Timestamp:

Jul 7, 2014 6:40:01 AM (10 years ago)

Author:

riza

Message:

Re #1765:

• Fixed unnecessary white-space error
• Limiting log message to servers
• Adding SSL_OP_SINGLE_ECDH_USE optionally
• OpenSSL could be built without elliptic curve support, or too old

File:

• pjproject/trunk/pjlib/src/pj/ssl_sock_ossl.c (modified) (2 diffs)

pjproject/trunk/pjlib/src/pj/ssl_sock_ossl.c

@@ -491 +491 @@
     DH *dh;
     long options;
+#if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L
     EC_KEY *ecdh;
+#endif
     SSL_METHOD *ssl_method;
     SSL_CTX *ctx;
@@ -588 +590 @@
             }
 
-            bio = BIO_new_file(cert->privkey_file.ptr, "r");
-            if (bio != NULL) {
-                dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
-                if (dh != NULL) {
-                   if (SSL_CTX_set_tmp_dh(ctx, dh)) {
-                        options = SSL_OP_CIPHER_SERVER_PREFERENCE |
-                                  SSL_OP_SINGLE_DH_USE;
-                        options = SSL_CTX_set_options(ctx, options);
-                        PJ_LOG(4,(ssock->pool->obj_name, "SSL DH "
-                                  "initialized, PFS cipher-suites enabled"));
-                   }
-                   DH_free(dh);
+            if (ssock->is_server) {
+                bio = BIO_new_file(cert->privkey_file.ptr, "r");
+                if (bio != NULL) {
+                    dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+                    if (dh != NULL) {
+                        if (SSL_CTX_set_tmp_dh(ctx, dh)) {
+                            options = SSL_OP_CIPHER_SERVER_PREFERENCE |
+    #if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L
+                                      SSL_OP_SINGLE_ECDH_USE |
+    #endif
+                                      SSL_OP_SINGLE_DH_USE;
+                            options = SSL_CTX_set_options(ctx, options);
+                            PJ_LOG(4,(ssock->pool->obj_name, "SSL DH "
+                                     "initialized, PFS cipher-suites enabled"));
+                        }
+                        DH_free(dh);
+                    }
+                    BIO_free(bio);
                 }
-                BIO_free(bio);
             }
         }
     }
 
+    if (ssock->is_server) {
     #ifndef SSL_CTRL_SET_ECDH_AUTO
         #define SSL_CTRL_SET_ECDH_AUTO 94
     #endif
-    
-    /* SSL_CTX_set_ecdh_auto(ctx, on); requires OpenSSL 1.0.2 which wraps: */
-    if (SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {
-        PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized (automatic), "
-                  "faster PFS ciphers enabled"));
-    } else {
-        /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
-        ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-        if (ecdh != NULL) {
-            if (SSL_CTX_set_tmp_ecdh(ctx, ecdh)) {
-                PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized "
-                          "(secp256r1), faster PFS cipher-suites enabled"));
+
+        /* SSL_CTX_set_ecdh_auto(ctx,on) requires OpenSSL 1.0.2 which wraps: */
+        if (SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {
+            PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized "
+                      "(automatic), faster PFS ciphers enabled"));
+    #if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L
+        } else {
+            /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
+            ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+            if (ecdh != NULL) {
+                if (SSL_CTX_set_tmp_ecdh(ctx, ecdh)) {
+                    PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized "
+                              "(secp256r1), faster PFS cipher-suites enabled"));
+                }
+                EC_KEY_free(ecdh);
             }
-            EC_KEY_free(ecdh);
+    #endif
         }
     }