You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@trafficserver.apache.org by ma...@apache.org on 2018/08/02 06:19:43 UTC

[trafficserver] branch master updated: Enable ECDH explicitly only if OpenSSL version is v1.0.2 or lower

This is an automated email from the ASF dual-hosted git repository.

masaori pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 034c25b  Enable ECDH explicitly only if OpenSSL version is v1.0.2 or lower
034c25b is described below

commit 034c25b5b8ebe764e94f5bb3beca6a2599c40c66
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Tue Jul 31 14:13:44 2018 +0900

    Enable ECDH explicitly only if OpenSSL version is v1.0.2 or lower
    
    SSL_CTX_set_ecdh_auto() has been removed and ECDH is enabled in default
    since OpenSSL v1.1.0.
---
 iocore/net/SSLUtils.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 93d7fb3..71b71a3 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -587,9 +587,13 @@ ssl_context_enable_dhe(const char *dhparams_file, SSL_CTX *ctx)
   return ctx;
 }
 
+// SSL_CTX_set_ecdh_auto() is removed by OpenSSL v1.1.0 and ECDH is enabled in default.
+// TODO: remove this function when we drop support of OpenSSL v1.0.2* and lower.
 static SSL_CTX *
 ssl_context_enable_ecdh(SSL_CTX *ctx)
 {
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+
 #if TS_USE_TLS_ECKEY
 
 #if defined(SSL_CTRL_SET_ECDH_AUTO)
@@ -603,6 +607,7 @@ ssl_context_enable_ecdh(SSL_CTX *ctx)
   }
 #endif
 #endif
+#endif
 
   return ctx;
 }