Add support for ECDH and provide a better ssl_cipher set by default.

modules/example/module.conf

@@ -43,7 +43,7 @@ workers		4
 load modules/example/example.module
 
 # Specify the SSL ciphers that will be used.
-#ssl_cipher	HIGH:!aNULL:!MD5;
+#ssl_cipher	EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
 
 # If you wish to use ephemeral key exchanges specify a file containing
 # a generated DH key (See OpenSSL dhparam).

src/domain.c

@@ -55,6 +55,10 @@ kore_domain_new(char *domain)
 void
 kore_domain_sslstart(struct kore_domain *dom)
 {
+#if !defined(OPENSSL_NO_EC)
+	EC_KEY		*ecdh;
+#endif
+
 	kore_debug("kore_domain_sslstart(%s)", dom->domain);
 
 	dom->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
@@ -77,6 +81,13 @@ kore_domain_sslstart(struct kore_domain *dom)
 	if (ssl_dhparam != NULL) {
 		SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam);
 		SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE);
+
+#if !defined(OPENSSL_NO_EC)
+		if ((ecdh = EC_KEY_new_by_curve_name(NID_secp384r1)) != NULL) {
+			SSL_CTX_set_tmp_ecdh(dom->ssl_ctx, ecdh);
+			EC_KEY_free(ecdh);
+		}
+#endif
 	}
 
 	if (ssl_no_compression)