forked from mirrors/kore
Add support for ECDH and provide a better ssl_cipher set by default.
This commit is contained in:
parent
dde4f9f75a
commit
0a49f29e10
|
@ -43,7 +43,7 @@ workers 4
|
|||
load modules/example/example.module
|
||||
|
||||
# Specify the SSL ciphers that will be used.
|
||||
#ssl_cipher HIGH:!aNULL:!MD5;
|
||||
#ssl_cipher EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
|
||||
|
||||
# If you wish to use ephemeral key exchanges specify a file containing
|
||||
# a generated DH key (See OpenSSL dhparam).
|
||||
|
|
11
src/domain.c
11
src/domain.c
|
@ -55,6 +55,10 @@ kore_domain_new(char *domain)
|
|||
void
|
||||
kore_domain_sslstart(struct kore_domain *dom)
|
||||
{
|
||||
#if !defined(OPENSSL_NO_EC)
|
||||
EC_KEY *ecdh;
|
||||
#endif
|
||||
|
||||
kore_debug("kore_domain_sslstart(%s)", dom->domain);
|
||||
|
||||
dom->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
|
||||
|
@ -77,6 +81,13 @@ kore_domain_sslstart(struct kore_domain *dom)
|
|||
if (ssl_dhparam != NULL) {
|
||||
SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam);
|
||||
SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE);
|
||||
|
||||
#if !defined(OPENSSL_NO_EC)
|
||||
if ((ecdh = EC_KEY_new_by_curve_name(NID_secp384r1)) != NULL) {
|
||||
SSL_CTX_set_tmp_ecdh(dom->ssl_ctx, ecdh);
|
||||
EC_KEY_free(ecdh);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
if (ssl_no_compression)
|
||||
|
|
Loading…
Reference in New Issue