You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2018/08/08 15:44:18 UTC
[trafficserver] branch 7.1.x updated: Enable ECDH explicitly only
if OpenSSL version is v1.0.2 or lower
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/7.1.x by this push:
new 583f9e0 Enable ECDH explicitly only if OpenSSL version is v1.0.2 or lower
583f9e0 is described below
commit 583f9e0038794326ef5ef5e9b2c69f30eb4f7bcb
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Tue Jul 31 14:13:44 2018 +0900
Enable ECDH explicitly only if OpenSSL version is v1.0.2 or lower
SSL_CTX_set_ecdh_auto() has been removed and ECDH is enabled in default
since OpenSSL v1.1.0.
(cherry picked from commit 034c25b5b8ebe764e94f5bb3beca6a2599c40c66)
---
iocore/net/SSLUtils.cc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 40792dc..6bdd05b 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -539,9 +539,13 @@ ssl_context_enable_dhe(const char *dhparams_file, SSL_CTX *ctx)
return ctx;
}
+// SSL_CTX_set_ecdh_auto() is removed by OpenSSL v1.1.0 and ECDH is enabled in default.
+// TODO: remove this function when we drop support of OpenSSL v1.0.2* and lower.
static SSL_CTX *
ssl_context_enable_ecdh(SSL_CTX *ctx)
{
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+
#if TS_USE_TLS_ECKEY
#if defined(SSL_CTRL_SET_ECDH_AUTO)
@@ -555,6 +559,7 @@ ssl_context_enable_ecdh(SSL_CTX *ctx)
}
#endif
#endif
+#endif
return ctx;
}