State why ECDH is disabled with OpenSSL < 1.0.0e

droe · May 11, 2012 · a3b6d58 · a3b6d58
1 parent 38d2241
commit a3b6d58
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/ssl.h b/ssl.h
@@ -38,6 +38,11 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+/*
+ * ECDH is disabled when building against OpenSSL < 1.0.0e due to issues with
+ * thread-safety and security in server mode ephemereal ECDH cipher suites.
+ * http://www.openssl.org/news/secadv_20110906.txt
+ */
 #if (OPENSSL_VERSION_NUMBER < 0x10000000L) && !defined(OPENSSL_NO_THREADID)
 #define OPENSSL_NO_THREADID
 #endif