Merge pull request #33 from Argure/master

Enable use of ECDHE in Charybdis on OpenSSL versions that support this.
2013-09-06 11:44:18 -07:00 · 2013-09-06 11:44:18 -07:00 · d8c3d5fe97
parent 9eab762b72 31d2201519
commit d8c3d5fe97
2 changed files with 9 additions and 0 deletions
--- a/README.FIRST
+++ b/README.FIRST
@ -32,6 +32,10 @@ Feature Specific Requirements:

 - For encrypted oper and (optional) server passwords, a working DES, MD5, or SHA library
  implementing crypt().
+  
+- For ECDHE, OpenSSL 1.0.0 or newer is required. RHEL/Fedora and derivatives like CentOS
+  will need to compile OpenSSL from source, as ECC/ECDHE-functionality is removed from
+  the OpenSSL package in these distributions.

 *******************************************************************************

--- a/libratbox/src/openssl.c
+++ b/libratbox/src/openssl.c
@ -314,6 +314,11 @@ rb_init_ssl(void)
 	/* Disable SSLv2, make the client use our settings */
 	SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE);
 	SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
+	
+	/* Set ECDHE on OpenSSL 1.00+ */
+	#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
+		SSL_CTX_set_tmp_ecdh(ssl_server_ctx, EC_KEY_new_by_curve_name(NID_secp384r1));
+	#endif

 	ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());