From: Remi Tricot-Le Breton Date: Tue, 8 Feb 2022 16:45:56 +0000 (+0100) Subject: MINOR: ssl: Remove EC_KEY related calls when creating a certificate X-Git-Tag: v2.6-dev2~193 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c11e7e1d947b0d269c86232e191d91631c51a22d;p=thirdparty%2Fhaproxy.git MINOR: ssl: Remove EC_KEY related calls when creating a certificate In the context of the 'generate-certificates' bind line option, if an 'ecdhe' option is present on the bind line as well, we use the SSL_CTX_set_tmp_ecdh function which was marked as deprecated in OpenSSLv3. As advised in the SSL_CTX_set_tmp_ecdh manpage, this function should be replaced by the SSL_CTX_set1_groups one (or the SSL_CTX_set1_curves one in our case which does the same but existed on older OpenSSL versions as well). The ECDHE behaviour with OpenSSL 1.0.2 is not the same when using the SSL_CTX_set1_curves function as the one we have on newer versions. Instead of looking for a code that would work exactly the same regardless of the OpenSSL version, we will keep the original code on 1.0.2 and use newer APIs for other versions. This patch should be strictly isofunctional. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 7a9d94af33..1bfb186898 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2209,6 +2209,16 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL #ifndef OPENSSL_NO_DH SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_get_tmp_dh); #endif + +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#if defined(SSL_CTX_set1_curves_list) + { + const char *ecdhe = (bind_conf->ssl_conf.ecdhe ? bind_conf->ssl_conf.ecdhe : ECDHE_DEFAULT_CURVE); + if (!SSL_CTX_set1_curves_list(ssl_ctx, ecdhe)) + goto end; + } +#endif +#else #if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH) { const char *ecdhe = (bind_conf->ssl_conf.ecdhe ? bind_conf->ssl_conf.ecdhe : ECDHE_DEFAULT_CURVE); @@ -2222,7 +2232,8 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL SSL_CTX_set_tmp_ecdh(ssl_ctx, ecc); EC_KEY_free(ecc); } -#endif +#endif /* defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH) */ +#endif /* HA_OPENSSL_VERSION_NUMBER >= 0x10101000L */ end: return ssl_ctx;