From: Kaspar Brand <kbrand@apache.org>
Date: Sat, 1 Feb 2014 14:04:23 +0000 (+0000)
Subject: enable auto curve selection for ephemeral ECDH keys
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2158f4ca0ec636dc34d3f8141acc846241d7b900;p=thirdparty%2Fapache%2Fhttpd.git

enable auto curve selection for ephemeral ECDH keys
when compiled against OpenSSL 1.0.2 or later


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1563420 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index d8dd8c2229a..0c6cdd7cf83 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1022,11 +1022,16 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
                      OBJ_nid2sn(nid), vhost_id, certfile);
     }
     /*
-     * ...otherwise, configure NIST P-256 (required to enable ECDHE)
+     * ...otherwise, enable auto curve selection (OpenSSL 1.0.2 and later)
+     * or configure NIST P-256 (required to enable ECDHE for earlier versions)
      */
     else {
+#if defined(SSL_CTX_set_ecdh_auto)
+        SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
+#else
         SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
                              EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+#endif
     }
 #endif