Enable ECDHE support in httpd via a SSLECDHCurve option. This specifies the

named curve to use when generating ephemeral EC keys for an ECDHE-based cipher suite, or can be set to `none' to disable. The default is to use a prime256v1 curve. yay^Wok djm@
author: jsing <jsing@openbsd.org> 2013-07-16 13:02:16 +0000
committer: jsing <jsing@openbsd.org> 2013-07-16 13:02:16 +0000
commit: 1bc1bcd4e2231769ad39bf625c22e01207b8212b (patch)
tree: 4bfa4633ca8ddc86dfcf48259556c83eac47a1eb /usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
parent: Define HonorCipherOrder as a FLAG (rather than as a TAKE1), so that it (diff)
download: wireguard-openbsd-1bc1bcd4e2231769ad39bf625c22e01207b8212b.tar.xz
wireguard-openbsd-1bc1bcd4e2231769ad39bf625c22e01207b8212b.zip
1 files changed, 22 insertions, 1 deletions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
index f7455783b6a..775837a1e89 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
@@ -196,8 +196,9 @@ void *ssl_config_server_create(pool *p, server_rec *s)
     sc->szCertificateChain     = NULL;
     sc->szLogFile              = NULL;
     sc->szCipherSuite          = NULL;
-    sc->nLogLevel              = SSL_LOG_NONE;
+    sc->nECDHCurve             = NID_X9_62_prime256v1;
     sc->bHonorCipherOrder      = UNSET;
+    sc->nLogLevel              = SSL_LOG_NONE;
     sc->nVerifyDepth           = UNSET;
     sc->nVerifyClient          = SSL_CVERIFY_UNSET;
     sc->nSessionCacheTimeout   = UNSET;
@@ -253,6 +254,7 @@ void *ssl_config_server_merge(pool *p, void *basev, void *addv)
     cfgMergeString(szCertificateChain);
     cfgMergeString(szLogFile);
     cfgMergeString(szCipherSuite);
+    cfgMerge(nECDHCurve, NID_X9_62_prime256v1);
     cfgMergeBool(bHonorCipherOrder);
     cfgMerge(nLogLevel, SSL_LOG_NONE);
     cfgMergeInt(nVerifyDepth);
@@ -544,6 +546,25 @@ const char *ssl_cmd_SSLCipherSuite(
     return NULL;
 }
 
+const char *ssl_cmd_SSLECDHCurve(
+    cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    if (strcEQ(arg, "none")) {
+        sc->nECDHCurve = 0;
+        return NULL;
+    }
+
+    sc->nECDHCurve = OBJ_sn2nid((const char *)arg);
+    if (sc->nECDHCurve == 0) {
+        return ap_pstrcat(cmd->pool, "SSLECDHCurve: unknown named curve '",
+                          arg, "'", NULL);
+    }
+
+    return NULL;
+}
+
 const char *ssl_cmd_SSLHonorCipherOrder(
      cmd_parms *cmd, char *struct_ptr, int flag)
 {
author	jsing <jsing@openbsd.org>	2013-07-16 13:02:16 +0000
committer	jsing <jsing@openbsd.org>	2013-07-16 13:02:16 +0000
commit	1bc1bcd4e2231769ad39bf625c22e01207b8212b (patch)
tree	4bfa4633ca8ddc86dfcf48259556c83eac47a1eb /usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
parent	Define HonorCipherOrder as a FLAG (rather than as a TAKE1), so that it (diff)
download	wireguard-openbsd-1bc1bcd4e2231769ad39bf625c22e01207b8212b.tar.xz wireguard-openbsd-1bc1bcd4e2231769ad39bf625c22e01207b8212b.zip