[PATCH] SSL: support automatic selection of ECDH temporary key parameters

Piotr Sikora piotr at cloudflare.com
Tue Apr 22 11:59:21 UTC 2014 

Hey Maxim,
I've added the requested fallback to the "old code". It's not the
perfect solution because OpenSSL returns the same response code for
"SSL_CTX_set1_curves_list() not supported" and "invalid curves" cases,
but it works. I verified that it behaves correctly when compiled
against OpenSSL-1.0.2 but linked against OpenSSL-1.0.1, etc.

I've also changed error messages to match the style of other SSL
errors, but to be honest, it now looks strange, since the "new code"
errors out with:

    SSL_CTX_set1_curves_list("XXX") failed

whereas the "old code" errors out with:

    Unknown curve name "XXX"

so we have 2 different error messages for the same error... Please let
me know if I misunderstood your previous comment regarding those
messages.

Best regards,
Piotr Sikora


# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1398167365 25200
#      Tue Apr 22 04:49:25 2014 -0700
# Node ID 27a8f0aacdff33b0dd6684815c1403cfd91ca895
# Parent  46d0795a846cc0ee5db8df68003d79ee918eed88
SSL: support automatic selection of ECDH temporary key parameters.

When compiled against OpenSSL-1.0.2+, the colon separated list of
supported curves can be provided using either curve NIDs:

    ssl_ecdh_curve  secp521r1:secp384r1:prime256v1;

or names:

    ssl_ecdh_curve  P-521:P-384:P-256;

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r 46d0795a846c -r 27a8f0aacdff src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Apr 21 19:21:17 2014 +0400
+++ b/src/event/ngx_event_openssl.c Tue Apr 22 04:49:25 2014 -0700
@@ -685,6 +685,30 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s
 {
 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
 #ifndef OPENSSL_NO_ECDH
+#ifdef SSL_CTRL_SET_ECDH_AUTO
+
+    if (SSL_CTX_set1_curves_list(ssl->ctx, "prime256v1") == 1) {
+
+        if (SSL_CTX_set1_curves_list(ssl->ctx, name->data) == 0) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "SSL_CTX_set1_curves_list(\"%s\") failed",
+                          name->data);
+            return NGX_ERROR;
+        }
+
+        SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
+
+        if (SSL_CTX_set_ecdh_auto(ssl->ctx, 1) == 0) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "SSL_CTX_set_ecdh_auto() failed");
+            return NGX_ERROR;
+        }
+
+        return NGX_OK;
+    }
+
+#endif
+    {
     int      nid;
     EC_KEY  *ecdh;

@@ -714,6 +738,7 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_s
     SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);

     EC_KEY_free(ecdh);
+    }
 #endif
 #endif

More information about the nginx-devel mailing list