You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2013/12/04 23:06:07 UTC

[2/2] git commit: TS-2372: enable ECDHE forward security

TS-2372: enable ECDHE forward security


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/d75e933a
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/d75e933a
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/d75e933a

Branch: refs/heads/master
Commit: d75e933a1c1b05700ca79dcbe53f6261d39e8c13
Parents: d7bb4cd
Author: James Peach <jp...@apache.org>
Authored: Tue Nov 26 09:37:47 2013 -0800
Committer: James Peach <jp...@apache.org>
Committed: Wed Dec 4 14:05:10 2013 -0800

----------------------------------------------------------------------
 CHANGES                |  2 ++
 iocore/net/SSLUtils.cc | 17 +++++++++++++++++
 2 files changed, 19 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d75e933a/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 504e1a0..363b915 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,8 @@
 Changes with Apache Traffic Server 4.2.0
 
 
+  *) [TS-2372] Enable TLS perfect forward security with ECDHE.
+
   *) [TS-2416] Make TLS the session timeout threshold configurable.
    Author: Wei Sun <su...@yahoo-inc.com>
 

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d75e933a/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 228870a..33d1bd5 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -185,6 +185,21 @@ ssl_context_enable_sni(SSL_CTX * ctx, SSLCertLookup * lookup)
   return ctx;
 }
 
+static void
+ssl_enable_ecdh(SSL_CTX * ctx)
+{
+#if defined(SSL_CTRL_SET_ECDH_AUTO)
+  SSL_CTX_set_ecdh_auto(ctx, 1);
+#elif defined(NID_X9_62_prime256v1)
+  EC_KEY * ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+
+  if (ecdh) {
+    SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+    EC_KEY_free(ecdh);
+  }
+#endif
+}
+
 void
 SSLInitializeLibrary()
 {
@@ -407,6 +422,8 @@ SSLInitServerContext(
     }
   }
 
+  ssl_enable_ecdh(ctx);
+
   return ctx;
 
 fail: