You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2013/08/19 20:04:16 UTC
svn commit: r1515537 - in /httpd/httpd/branches/2.2.x: ./ docs/conf/extra/
docs/manual/mod/ modules/ssl/
Author: trawick
Date: Mon Aug 19 18:04:16 2013
New Revision: 1515537
URL: http://svn.apache.org/r1515537
Log:
2 votes in one proposal for 1082189 and 1 vote in another = approval
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h
httpd/httpd/branches/2.2.x/modules/ssl/ssl_util.c
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Aug 19 18:04:16 2013
@@ -5,6 +5,10 @@ Changes with Apache 2.2.26
causes security issues in most setups. (The so called "CRIME" attack).
[Stefan Fritsch]
+ *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
+ OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme,
+ Stefan Fritsch]
+
*) mod_ssl: Fix compilation error when OpenSSL does not contain
support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
[Rainer Jung, Kaspar Brand]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Mon Aug 19 18:04:16 2013
@@ -101,16 +101,16 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
trunk: http://svn.apache.org/r1506714
+1: gstein, wrowe, rpluem
-PATCHES PROPOSED TO BACKPORT FROM TRUNK:
- [ New proposals should be added at the end of the list ]
-
* mod_ssl: Compare SNI hostname against Host header case-insensitively.
PR: 49491
Trunk version of patch:
http://svn.apache.org/r1082189
Backport version for 2.2.x of patch:
Trunk version of patch works
- +1: rpluem, trawick
+ +1: rpluem, trawick, covener
+
+PATCHES PROPOSED TO BACKPORT FROM TRUNK:
+ [ New proposals should be added at the end of the list ]
* mod_ssl: Support ECC keys
trunk patch: http://svn.apache.org/r834378
@@ -124,15 +124,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
http://svn.apache.org/r1308862
http://svn.apache.org/r1509875
2.2.x patch: http://people.apache.org/~sf/ECC-2.2-v2.diff
- +1: sf
- trawick: Is there any particular reason that the patch doesn't
- define OPENSSL_NO_EC for older OpenSSL levels and use
- that as the feature check, as is done in the 2.4.x
- branch? I guess I can help out with that if it is just
- a matter of labor.
- sf: It does (in ssl_toolkit_compat.h where these things are in 2.2).
- But v1 of the patch lacked one commit to properly use OPENSSL_NO_EC
- everywhere. Fixed in v2.
+ +1: sf, trawick
* mod_ssl config: Fix range check bug with SSLRenegBufferSize
trunk patch: http://svn.apache.org/r954641
@@ -142,14 +134,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
2.2.x patch: trunk patch to ssl_engine_config.c (above) applies with offset
+1: trawick
- * mod_ssl: compare SNI hostname to Host header case insensitively
-
- trunk patch: http://svn.apache.org/viewvc?rev=1082189&view=rev
- 2.4.x patch: n/a, fixed before 2.4 branched.
- 2.2.x patch: trunk works
- +1 covener
-
-
PATCHES/ISSUES THAT ARE STALLED
* mod_cache: Realign the cache_quick_handler() to behave identically
Modified: httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in (original)
+++ httpd/httpd/branches/2.2.x/docs/conf/extra/httpd-ssl.conf.in Mon Aug 19 18:04:16 2013
@@ -114,16 +114,22 @@ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
+# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+# require an ECC certificate which can also be configured in
+# parallel.
SSLCertificateFile "@exp_sysconfdir@/server.crt"
#SSLCertificateFile "@exp_sysconfdir@/server-dsa.crt"
+#SSLCertificateFile "@exp_sysconfdir@/server-ecc.crt"
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
+# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "@exp_sysconfdir@/server.key"
#SSLCertificateKeyFile "@exp_sysconfdir@/server-dsa.key"
+#SSLCertificateKeyFile "@exp_sysconfdir@/server-ecc.key"
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml Mon Aug 19 18:04:16 2013
@@ -188,12 +188,12 @@ query can be done in two ways which can
Here an external program is configured which is called at startup for each
encrypted Private Key file. It is called with two arguments (the first is
of the form ``<code>servername:portnumber</code>'', the second is either
- ``<code>RSA</code>'' or ``<code>DSA</code>''), which indicate for which
- server and algorithm it has to print the corresponding Pass Phrase to
- <code>stdout</code>. The intent is that this external program first runs
- security checks to make sure that the system is not compromised by an
- attacker, and only when these checks were passed successfully it provides
- the Pass Phrase.</p>
+ ``<code>RSA</code>'', ``<code>DSA</code>'', or ``<code>ECC</code>''), which
+ indicate for which server and algorithm it has to print the corresponding
+ Pass Phrase to <code>stdout</code>. The intent is that this external
+ program first runs security checks to make sure that the system is not
+ compromised by an attacker, and only when these checks were passed
+ successfully it provides the Pass Phrase.</p>
<p>
Both these security checks, and the way the Pass Phrase is determined, can
be as complex as you like. Mod_ssl just defines the interface: an
@@ -761,6 +761,7 @@ SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MED
<syntax>SSLCertificateFile <em>file-path</em></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
+<compatibility>ECC support is available in Apache 2.2.26 and later</compatibility>
<usage>
<p>
@@ -768,8 +769,8 @@ This directive points to the PEM-encoded
optionally also to the corresponding RSA or DSA Private Key file for it
(contained in the same file). If the contained Private Key is encrypted the
Pass Phrase dialog is forced at startup time. This directive can be used up to
-two times (referencing different filenames) when both a RSA and a DSA based
-server certificate is used in parallel.</p>
+three times (referencing different filenames) when both a RSA, a DSA, and an
+ECC based server certificate is used in parallel.</p>
<example><title>Example</title>
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
</example>
@@ -782,6 +783,7 @@ SSLCertificateFile /usr/local/apache2/co
<syntax>SSLCertificateKeyFile <em>file-path</em></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
+<compatibility>ECC support is available in Apache 2.2.26 and later</compatibility>
<usage>
<p>
@@ -794,8 +796,8 @@ contains both the Certificate and the Pr
not be used. But we strongly discourage this practice. Instead we
recommend you to separate the Certificate and the Private Key. If the
contained Private Key is encrypted, the Pass Phrase dialog is forced
-at startup time. This directive can be used up to two times
-(referencing different filenames) when both a RSA and a DSA based
+at startup time. This directive can be used up to three times
+(referencing different filenames) when both a RSA, a DSA, and an ECC based
private key is used in parallel.</p>
<example><title>Example</title>
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
Modified: httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c Mon Aug 19 18:04:16 2013
@@ -441,6 +441,9 @@ int ssl_init_ssl_connection(conn_rec *c)
*/
SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH);
+#ifndef OPENSSL_NO_EC
+ SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH);
+#endif
SSL_set_verify_result(ssl, X509_V_OK);
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c Mon Aug 19 18:04:16 2013
@@ -72,6 +72,9 @@ static void ssl_tmp_keys_free(server_rec
MODSSL_TMP_KEYS_FREE(mc, RSA);
MODSSL_TMP_KEYS_FREE(mc, DH);
+#ifndef OPENSSL_NO_EC
+ MODSSL_TMP_KEY_FREE(mc, EC_KEY, SSL_TMP_KEY_EC_256);
+#endif
}
static int ssl_tmp_key_init_rsa(server_rec *s,
@@ -133,6 +136,40 @@ static int ssl_tmp_key_init_dh(server_re
return OK;
}
+#ifndef OPENSSL_NO_EC
+static int ssl_tmp_key_init_ec(server_rec *s,
+ int bits, int idx)
+{
+ SSLModConfigRec *mc = myModConfig(s);
+ EC_KEY *ecdh = NULL;
+
+ /* XXX: Are there any FIPS constraints we should enforce? */
+
+ if (bits != 256) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Init: Failed to generate temporary "
+ "%d bit EC parameters, only 256 bits supported", bits);
+ return !OK;
+ }
+
+ if ((ecdh = EC_KEY_new()) == NULL ||
+ EC_KEY_set_group(ecdh, EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) != 1)
+ {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Init: Failed to generate temporary "
+ "%d bit EC parameters", bits);
+ return !OK;
+ }
+
+ mc->pTmpKeys[idx] = ecdh;
+ return OK;
+}
+
+#define MODSSL_TMP_KEY_INIT_EC(s, bits) \
+ ssl_tmp_key_init_ec(s, bits, SSL_TMP_KEY_EC_##bits)
+
+#endif
+
#define MODSSL_TMP_KEY_INIT_RSA(s, bits) \
ssl_tmp_key_init_rsa(s, bits, SSL_TMP_KEY_RSA_##bits)
@@ -157,6 +194,15 @@ static int ssl_tmp_keys_init(server_rec
return !OK;
}
+#ifndef OPENSSL_NO_EC
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+ "Init: Generating temporary EC parameters (256 bits)");
+
+ if (MODSSL_TMP_KEY_INIT_EC(s, 256)) {
+ return !OK;
+ }
+#endif
+
return OK;
}
@@ -399,7 +445,11 @@ static void ssl_init_server_check(server
* Check for problematic re-initializations
*/
if (mctx->pks->certs[SSL_AIDX_RSA] ||
- mctx->pks->certs[SSL_AIDX_DSA])
+ mctx->pks->certs[SSL_AIDX_DSA]
+#ifndef OPENSSL_NO_EC
+ || mctx->pks->certs[SSL_AIDX_ECC]
+#endif
+ )
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Illegal attempt to re-initialise SSL for server "
@@ -599,6 +649,9 @@ static void ssl_init_ctx_callbacks(serve
SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
+#ifndef OPENSSL_NO_EC
+ SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH);
+#endif
SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
}
@@ -866,9 +919,16 @@ static int ssl_server_import_key(server_
ssl_asn1_t *asn1;
MODSSL_D2I_PrivateKey_CONST unsigned char *ptr;
const char *type = ssl_asn1_keystr(idx);
- int pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
+ int pkey_type;
EVP_PKEY *pkey;
+#ifndef OPENSSL_NO_EC
+ if (idx == SSL_AIDX_ECC)
+ pkey_type = EVP_PKEY_EC;
+ else
+#endif /* SSL_LIBRARY_VERSION */
+ pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
+
if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) {
return FALSE;
}
@@ -978,20 +1038,34 @@ static void ssl_init_server_certs(server
apr_pool_t *ptemp,
modssl_ctx_t *mctx)
{
- const char *rsa_id, *dsa_id;
+ const char *rsa_id, *dsa_id, *ecc_id;
const char *vhost_id = mctx->sc->vhost_id;
int i;
- int have_rsa, have_dsa;
+ int have_rsa, have_dsa, have_ecc;
rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
+#ifndef OPENSSL_NO_EC
+ ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
+#endif
have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
+#ifndef OPENSSL_NO_EC
+ have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
+#endif
- if (!(have_rsa || have_dsa)) {
+ if (!(have_rsa || have_dsa
+#ifndef OPENSSL_NO_EC
+ || have_ecc
+#endif
+)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+#ifndef OPENSSL_NO_EC
+ "Oops, no RSA, DSA or ECC server certificate found "
+#else
"Oops, no RSA or DSA server certificate found "
+#endif
"for '%s:%d'?!", s->server_hostname, s->port);
ssl_die();
}
@@ -1002,10 +1076,21 @@ static void ssl_init_server_certs(server
have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA);
have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA);
+#if SSL_LIBRARY_VERSION >= 0x00908000
+ have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC);
+#endif
- if (!(have_rsa || have_dsa)) {
+ if (!(have_rsa || have_dsa
+#if SSL_LIBRARY_VERSION >= 0x00908000
+ || have_ecc
+#endif
+ )) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+#if SSL_LIBRARY_VERSION >= 0x00908000
+ "Oops, no RSA, DSA or ECC server private key found?!");
+#else
"Oops, no RSA or DSA server private key found?!");
+#endif
ssl_die();
}
}
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c Mon Aug 19 18:04:16 2013
@@ -1267,6 +1267,27 @@ DH *ssl_callback_TmpDH(SSL *ssl, int exp
return (DH *)mc->pTmpKeys[idx];
}
+#ifndef OPENSSL_NO_EC
+EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen)
+{
+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
+ SSLModConfigRec *mc = myModConfigFromConn(c);
+ int idx;
+
+ /* XXX Uses 256-bit key for now. TODO: support other sizes. */
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
+ "handing out temporary 256 bit ECC key");
+
+ switch (keylen) {
+ case 256:
+ default:
+ idx = SSL_TMP_KEY_EC_256;
+ }
+
+ return (EC_KEY *)mc->pTmpKeys[idx];
+}
+#endif
+
/*
* This OpenSSL callback function is called when OpenSSL
* does client authentication and verifies the certificate chain.
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h Mon Aug 19 18:04:16 2013
@@ -191,11 +191,21 @@ typedef int ssl_algo_t;
#define SSL_ALGO_UNKNOWN (0)
#define SSL_ALGO_RSA (1<<0)
#define SSL_ALGO_DSA (1<<1)
+#ifndef OPENSSL_NO_EC
+#define SSL_ALGO_ECC (1<<2)
+#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC)
+#else
#define SSL_ALGO_ALL (SSL_ALGO_RSA|SSL_ALGO_DSA)
+#endif /* SSL_LIBRARY_VERSION */
#define SSL_AIDX_RSA (0)
#define SSL_AIDX_DSA (1)
+#ifndef OPENSSL_NO_EC
+#define SSL_AIDX_ECC (2)
+#define SSL_AIDX_MAX (3)
+#else
#define SSL_AIDX_MAX (2)
+#endif /* SSL_LIBRARY_VERSION */
/**
@@ -206,7 +216,12 @@ typedef int ssl_algo_t;
#define SSL_TMP_KEY_RSA_1024 (1)
#define SSL_TMP_KEY_DH_512 (2)
#define SSL_TMP_KEY_DH_1024 (3)
+#ifndef OPENSSL_NO_EC
+#define SSL_TMP_KEY_EC_256 (4)
+#define SSL_TMP_KEY_MAX (5)
+#else
#define SSL_TMP_KEY_MAX (4)
+#endif
/**
* Define the SSL options
@@ -625,6 +640,9 @@ void ssl_hook_ConfigTest(apr_poo
/** OpenSSL callbacks */
RSA *ssl_callback_TmpRSA(SSL *, int, int);
DH *ssl_callback_TmpDH(SSL *, int, int);
+#ifndef OPENSSL_NO_EC
+EC_KEY *ssl_callback_TmpECDH(SSL *, int, int);
+#endif /* SSL_LIBRARY_VERSION */
int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_toolkit_compat.h Mon Aug 19 18:04:16 2013
@@ -38,6 +38,12 @@
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
+
+/* ECC support came along in OpenSSL 1.0.0 */
+#if (OPENSSL_VERSION_NUMBER < 0x10000000)
+#define OPENSSL_NO_EC
+#endif
+
/** Avoid tripping over an engine build installed globally and detected
* when the user points at an explicit non-engine flavor of OpenSSL
*/
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_util.c?rev=1515537&r1=1515536&r2=1515537&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_util.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_util.c Mon Aug 19 18:04:16 2013
@@ -150,6 +150,11 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCe
case EVP_PKEY_DSA:
t = SSL_ALGO_DSA;
break;
+#ifndef OPENSSL_NO_EC
+ case EVP_PKEY_EC:
+ t = SSL_ALGO_ECC;
+ break;
+#endif
default:
break;
}
@@ -174,6 +179,11 @@ char *ssl_util_algotypestr(ssl_algo_t t)
case SSL_ALGO_DSA:
cp = "DSA";
break;
+#ifndef OPENSSL_NO_EC
+ case SSL_ALGO_ECC:
+ cp = "ECC";
+ break;
+#endif
default:
break;
}
@@ -245,7 +255,11 @@ void ssl_asn1_table_unset(apr_hash_t *ta
apr_hash_set(table, key, klen, NULL);
}
+#ifndef OPENSSL_NO_EC
+static const char *ssl_asn1_key_types[] = {"RSA", "DSA", "ECC"};
+#else
static const char *ssl_asn1_key_types[] = {"RSA", "DSA"};
+#endif
const char *ssl_asn1_keystr(int keytype)
{