RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-03-02 01:20:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: ssl: Add callbacks to set DH/ECDH params for generated certificates

Browse Source 
Now, A callback is defined for generated certificates to set DH parameters for
ephemeral key exchange when required.
In same way, when possible, we also defined Elliptic Curve DH (ECDH) parameters.
This commit is contained in:
Christopher Faulet 2015-10-09 11:46:32 +02:00 committed by Willy Tarreau
parent 7969a33a01
commit 85b5a1a781
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/ssl_sock.c
View File

@ -1006,6 +1006,8 @@ static int ssl_sock_advertise_alpn_protos(SSL *s, const unsigned char **out,
#endif
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen);
/* Create a X509 certificate with the specified servername and serial. This
* function returns a SSL_CTX object or NULL if an error occurs. */
static SSL_CTX *
@ -1110,6 +1112,22 @@ ssl_sock_do_create_cert(const char *servername, unsigned int serial,
if (newcrt) X509_free(newcrt);
SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_get_tmp_dh);
#if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH)
{
const char *ecdhe = (bind_conf->ecdhe ? bind_conf->ecdhe : ECDHE_DEFAULT_CURVE);
EC_KEY *ecc;
int nid;
if ((nid = OBJ_sn2nid(ecdhe)) == NID_undef)
goto end;
if (!(ecc = EC_KEY_new_by_curve_name(nid)))
goto end;
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecc);
EC_KEY_free(ecc);
}
#endif
end:
return ssl_ctx;
mkcert_error: