Asterisk
/
asterisk
mirror of https://github.com/asterisk/asterisk
1
0
Fork 0
Code Issues Releases Wiki Activity

tcptls: Allow OpenSSL configured with no-dh.

Browse Source 
Additionally, this change allows auto-negotiation of the elliptic curve/group
for servers, not only with OpenSSL 1.0.2 but also with OpenSSL 1.1.0 and newer.
This enables X25519 (since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1) as a
side-effect.

ASTERISK-27876

Change-Id: I62c2aba4a630aefc231b71f646207e8c027d9497
13.23
Alexander Traud 8 years ago
parent 7f318c3ab5
commit 6833c763c7
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File

9
main/tcptls.c
Unescape View File

@ -1001,8 +1001,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
} }
} }
#ifdef HAVE_OPENSSL_EC #ifndef OPENSSL_NO_DH
if (!ast_strlen_zero(cfg->pvtfile)) { if (!ast_strlen_zero(cfg->pvtfile)) {
BIO *bio = BIO_new_file(cfg->pvtfile, "r"); BIO *bio = BIO_new_file(cfg->pvtfile, "r");
if (bio != NULL) { if (bio != NULL) {
@ -1018,12 +1017,15 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
BIO_free(bio); BIO_free(bio);
} }
} }
#endif
#ifndef SSL_CTRL_SET_ECDH_AUTO #ifndef SSL_CTRL_SET_ECDH_AUTO
#define SSL_CTRL_SET_ECDH_AUTO 94 #define SSL_CTRL_SET_ECDH_AUTO 94
#endif #endif
/* SSL_CTX_set_ecdh_auto(cfg->ssl_ctx, on); requires OpenSSL 1.0.2 which wraps: */ /* SSL_CTX_set_ecdh_auto(cfg->ssl_ctx, on); requires OpenSSL 1.0.2 which wraps: */
if (SSL_CTX_ctrl(cfg->ssl_ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) { if (SSL_CTX_ctrl(cfg->ssl_ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {
ast_verb(2, "TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled\n"); ast_verb(2, "TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled\n");
#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
} else { } else {
/* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */ /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
@ -1033,10 +1035,9 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
} }
EC_KEY_free(ecdh); EC_KEY_free(ecdh);
} }
#endif
} }
#endif /* #ifdef HAVE_OPENSSL_EC */
ast_verb(2, "TLS/SSL certificate ok\n"); /* We should log which one that is ok. This message doesn't really make sense in production use */ ast_verb(2, "TLS/SSL certificate ok\n"); /* We should log which one that is ok. This message doesn't really make sense in production use */
return 1; return 1;
#endif #endif

Write Preview
Loading…
Cancel
Save