Revert "Disable SSL_ECDH_CURVE by default"

This reverts commit 85a9a59
swoole · Apr 10, 2020 · dc5ac29 · dc5ac29
1 parent 360e8b2
commit dc5ac29
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 12 deletions.
diff --git a/include/swoole_config.h b/include/swoole_config.h
@@ -170,6 +170,7 @@
 
 #define SW_SSL_BUFFER_SIZE               16384
 #define SW_SSL_CIPHER_LIST               "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
+#define SW_SSL_ECDH_CURVE                "secp384r1"
 #define SW_SSL_NPN_ADVERTISE             "\x08http/1.1"
 #define SW_SSL_HTTP2_NPN_ADVERTISE       "\x02h2"
 

diff --git a/src/protocol/ssl.c b/src/protocol/ssl.c
@@ -19,10 +19,6 @@
 
 #ifdef SW_USE_OPENSSL
 
-#if OPENSSL_VERSION_NUMBER < 0x10000000L
-#error "require openssl version 1.0 or later"
-#endif
-
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -39,8 +35,8 @@ static RSA* swSSL_rsa_key_callback(SSL *ssl, int is_export, int key_length);
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 static int swSSL_set_default_dhparam(SSL_CTX* ssl_context);
 #endif
-static int swSSL_set_dhparam(SSL_CTX* ssl_context, const char *file);
-static int swSSL_set_ecdh_curve(SSL_CTX* ssl_context, const char *ecdh_curve);
+static int swSSL_set_dhparam(SSL_CTX* ssl_context, char *file);
+static int swSSL_set_ecdh_curve(SSL_CTX* ssl_context);
 
 #ifdef TLSEXT_TYPE_next_proto_neg
 static int swSSL_npn_advertised(SSL *ssl, const uchar **out, uint32_t *outlen, void *arg);
@@ -267,7 +263,7 @@ int swSSL_server_set_cipher(SSL_CTX* ssl_context, swSSL_config *cfg)
 #endif
     if (cfg->ecdh_curve && strlen(cfg->ecdh_curve) > 0)
     {
-        swSSL_set_ecdh_curve(ssl_context, cfg->ecdh_curve);
+        swSSL_set_ecdh_curve(ssl_context);
     }
     return SW_OK;
 }
@@ -1229,8 +1225,9 @@ static int swSSL_set_default_dhparam(SSL_CTX* ssl_context)
 }
 #endif
 
-static int swSSL_set_ecdh_curve(SSL_CTX* ssl_context, const char *ecdh_curve)
+static int swSSL_set_ecdh_curve(SSL_CTX* ssl_context)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
 #ifndef OPENSSL_NO_ECDH
 
     EC_KEY *ecdh;
@@ -1240,30 +1237,31 @@ static int swSSL_set_ecdh_curve(SSL_CTX* ssl_context, const char *ecdh_curve)
      * binary fields. OpenSSL only supports the "named curves", which provide
      * maximum interoperability.
      */
-    int nid = OBJ_sn2nid(ecdh_curve);
+    int nid = OBJ_sn2nid(SW_SSL_ECDH_CURVE);
     if (nid == 0)
     {
-        swWarn("Unknown curve name \"%s\"", ecdh_curve);
+        swWarn("Unknown curve name \"%s\"", SW_SSL_ECDH_CURVE);
         return SW_ERR;
     }
 
     ecdh = EC_KEY_new_by_curve_name(nid);
     if (ecdh == NULL)
     {
-        swWarn("Unable to create curve \"%s\"", ecdh_curve);
+        swWarn("Unable to create curve \"%s\"", SW_SSL_ECDH_CURVE);
         return SW_ERR;
     }
 
     SSL_CTX_set_options(ssl_context, SSL_OP_SINGLE_ECDH_USE);
     SSL_CTX_set_tmp_ecdh(ssl_context, ecdh);
 
     EC_KEY_free(ecdh);
+#endif
 #endif
 
     return SW_OK;
 }
 
-static int swSSL_set_dhparam(SSL_CTX* ssl_context, const char *file)
+static int swSSL_set_dhparam(SSL_CTX* ssl_context, char *file)
 {
     DH *dh;
     BIO *bio;

diff --git a/src/server/master.cc b/src/server/master.cc
@@ -1667,6 +1667,7 @@ swListenPort* swServer_add_port(swServer *serv, enum swSocket_type type, const c
             ls->ssl_config.stapling = 1;
             ls->ssl_config.stapling_verify = 1;
             ls->ssl_config.ciphers = sw_strdup(SW_SSL_CIPHER_LIST);
+            ls->ssl_config.ecdh_curve = sw_strdup(SW_SSL_ECDH_CURVE);
 #endif
         }
     }