BUG/MEDIUM: ssl: ECDHE ciphers not usable without named curve configured.

Fix consists to use prime256v1 as default named curve to init ECDHE ciphers if none configured.

doc/configuration.txt

@@ -7079,8 +7079,8 @@ backlog <backlog>
 
 ecdhe <named curve>
   This setting is only available when support for OpenSSL was built in. It sets
-  the named curve (RFC 4492) used to generate ECDH ephemeral keys and makes
-  ECDHE cipher suites usable.
+  the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default,
+  used named curve is prime256v1.
 
 ca-file <cafile>
   This setting is only available when support for OpenSSL was built in. It

include/common/defaults.h

@@ -191,6 +191,11 @@
 #define LISTEN_DEFAULT_CIPHERS NULL
 #endif
 
+/* named curve used as defaults for ECDHE ciphers */
+#ifndef ECDHE_DEFAULT_CURVE
+#define ECDHE_DEFAULT_CURVE "prime256v1"
+#endif
+
 /* ssl cache size */
 #ifndef SSLCACHESIZE
 #define SSLCACHESIZE 20000

src/ssl_sock.c

@@ -625,14 +625,15 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 	SSL_CTX_set_tlsext_servername_arg(ctx, bind_conf);
 #endif
 #if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH)
-	if (bind_conf->ecdhe) {
+	{
 		int i;
 		EC_KEY  *ecdh;
 
-		i = OBJ_sn2nid(bind_conf->ecdhe);
+		i = OBJ_sn2nid(bind_conf->ecdhe ? bind_conf->ecdhe : ECDHE_DEFAULT_CURVE);
 		if (!i || ((ecdh = EC_KEY_new_by_curve_name(i)) == NULL)) {
 			Alert("Proxy '%s': unable to set elliptic named curve to '%s' for bind '%s' at [%s:%d].\n",
-			      curproxy->id, bind_conf->ecdhe, bind_conf->arg, bind_conf->file, bind_conf->line);
+			      curproxy->id, bind_conf->ecdhe ? bind_conf->ecdhe : ECDHE_DEFAULT_CURVE,
+			      bind_conf->arg, bind_conf->file, bind_conf->line);
 			cfgerr++;
 		}
 		else {