From: Alexander Traud Date: Fri, 25 May 2018 14:55:26 +0000 (+0200) Subject: tcptls: Allow OpenSSL configured with no-dh. X-Git-Tag: 13.22.0-rc1~42^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6833c763c72b5608944b38d819c3e09ababd656e;p=thirdparty%2Fasterisk.git tcptls: Allow OpenSSL configured with no-dh. Additionally, this change allows auto-negotiation of the elliptic curve/group for servers, not only with OpenSSL 1.0.2 but also with OpenSSL 1.1.0 and newer. This enables X25519 (since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1) as a side-effect. ASTERISK-27876 Change-Id: I62c2aba4a630aefc231b71f646207e8c027d9497 --- diff --git a/main/tcptls.c b/main/tcptls.c index 23a6a2e5c0..860bd3bb18 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -1001,8 +1001,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) } } -#ifdef HAVE_OPENSSL_EC - +#ifndef OPENSSL_NO_DH if (!ast_strlen_zero(cfg->pvtfile)) { BIO *bio = BIO_new_file(cfg->pvtfile, "r"); if (bio != NULL) { @@ -1018,12 +1017,15 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) BIO_free(bio); } } +#endif + #ifndef SSL_CTRL_SET_ECDH_AUTO #define SSL_CTRL_SET_ECDH_AUTO 94 #endif /* SSL_CTX_set_ecdh_auto(cfg->ssl_ctx, on); requires OpenSSL 1.0.2 which wraps: */ if (SSL_CTX_ctrl(cfg->ssl_ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) { ast_verb(2, "TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled\n"); +#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L) } else { /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */ EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); @@ -1033,10 +1035,9 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) } EC_KEY_free(ecdh); } +#endif } -#endif /* #ifdef HAVE_OPENSSL_EC */ - ast_verb(2, "TLS/SSL certificate ok\n"); /* We should log which one that is ok. This message doesn't really make sense in production use */ return 1; #endif