ecdhe <named curve>
This setting is only available when support for OpenSSL was built in. It sets
- the named curve (RFC 4492) used to generate ECDH ephemeral keys and makes
- ECDHE cipher suites usable.
+ the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default,
+ used named curve is prime256v1.
ca-file <cafile>
This setting is only available when support for OpenSSL was built in. It
#define LISTEN_DEFAULT_CIPHERS NULL
#endif
+/* named curve used as defaults for ECDHE ciphers */
+#ifndef ECDHE_DEFAULT_CURVE
+#define ECDHE_DEFAULT_CURVE "prime256v1"
+#endif
+
/* ssl cache size */
#ifndef SSLCACHESIZE
#define SSLCACHESIZE 20000
SSL_CTX_set_tlsext_servername_arg(ctx, bind_conf);
#endif
#if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH)
- if (bind_conf->ecdhe) {
+ {
int i;
EC_KEY *ecdh;
- i = OBJ_sn2nid(bind_conf->ecdhe);
+ i = OBJ_sn2nid(bind_conf->ecdhe ? bind_conf->ecdhe : ECDHE_DEFAULT_CURVE);
if (!i || ((ecdh = EC_KEY_new_by_curve_name(i)) == NULL)) {
Alert("Proxy '%s': unable to set elliptic named curve to '%s' for bind '%s' at [%s:%d].\n",
- curproxy->id, bind_conf->ecdhe, bind_conf->arg, bind_conf->file, bind_conf->line);
+ curproxy->id, bind_conf->ecdhe ? bind_conf->ecdhe : ECDHE_DEFAULT_CURVE,
+ bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
}
else {
projects / thirdparty / haproxy.git / commitdiff
