You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2018/08/07 19:54:59 UTC
[trafficserver] branch 8.0.x updated: Enable ECDH explicitly only
if OpenSSL version is v1.0.2 or lower
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 8.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/8.0.x by this push:
new 112fb32 Enable ECDH explicitly only if OpenSSL version is v1.0.2 or lower
112fb32 is described below
commit 112fb321268137944aca54674ecfdeb3f4c16cda
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Tue Jul 31 14:13:44 2018 +0900
Enable ECDH explicitly only if OpenSSL version is v1.0.2 or lower
SSL_CTX_set_ecdh_auto() has been removed and ECDH is enabled in default
since OpenSSL v1.1.0.
(cherry picked from commit 034c25b5b8ebe764e94f5bb3beca6a2599c40c66)
---
iocore/net/SSLUtils.cc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 93d7fb3..71b71a3 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -587,9 +587,13 @@ ssl_context_enable_dhe(const char *dhparams_file, SSL_CTX *ctx)
return ctx;
}
+// SSL_CTX_set_ecdh_auto() is removed by OpenSSL v1.1.0 and ECDH is enabled in default.
+// TODO: remove this function when we drop support of OpenSSL v1.0.2* and lower.
static SSL_CTX *
ssl_context_enable_ecdh(SSL_CTX *ctx)
{
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+
#if TS_USE_TLS_ECKEY
#if defined(SSL_CTRL_SET_ECDH_AUTO)
@@ -603,6 +607,7 @@ ssl_context_enable_ecdh(SSL_CTX *ctx)
}
#endif
#endif
+#endif
return ctx;
}