You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2013/12/04 23:06:07 UTC
[2/2] git commit: TS-2372: enable ECDHE forward security
TS-2372: enable ECDHE forward security
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/d75e933a
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/d75e933a
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/d75e933a
Branch: refs/heads/master
Commit: d75e933a1c1b05700ca79dcbe53f6261d39e8c13
Parents: d7bb4cd
Author: James Peach <jp...@apache.org>
Authored: Tue Nov 26 09:37:47 2013 -0800
Committer: James Peach <jp...@apache.org>
Committed: Wed Dec 4 14:05:10 2013 -0800
----------------------------------------------------------------------
CHANGES | 2 ++
iocore/net/SSLUtils.cc | 17 +++++++++++++++++
2 files changed, 19 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d75e933a/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 504e1a0..363b915 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,8 @@
Changes with Apache Traffic Server 4.2.0
+ *) [TS-2372] Enable TLS perfect forward security with ECDHE.
+
*) [TS-2416] Make TLS the session timeout threshold configurable.
Author: Wei Sun <su...@yahoo-inc.com>
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d75e933a/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 228870a..33d1bd5 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -185,6 +185,21 @@ ssl_context_enable_sni(SSL_CTX * ctx, SSLCertLookup * lookup)
return ctx;
}
+static void
+ssl_enable_ecdh(SSL_CTX * ctx)
+{
+#if defined(SSL_CTRL_SET_ECDH_AUTO)
+ SSL_CTX_set_ecdh_auto(ctx, 1);
+#elif defined(NID_X9_62_prime256v1)
+ EC_KEY * ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+
+ if (ecdh) {
+ SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+ EC_KEY_free(ecdh);
+ }
+#endif
+}
+
void
SSLInitializeLibrary()
{
@@ -407,6 +422,8 @@ SSLInitServerContext(
}
}
+ ssl_enable_ecdh(ctx);
+
return ctx;
fail: