You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

26 lines
1.1 KiB

diff -up openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/shttpd/shttpd.c.orig openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/shttpd/shttpd.c
--- openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/shttpd/shttpd.c.orig 2018-06-15 13:18:46.274786925 +0200
+++ openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/shttpd/shttpd.c 2018-06-15 13:18:46.281786924 +0200
@@ -1474,6 +1474,7 @@ set_ssl(struct shttpd_ctx *ctx, const ch
char *ssl_disabled_protocols = wsmand_options_get_ssl_disabled_protocols();
char *ssl_cipher_list = wsmand_options_get_ssl_cipher_list();
int retval = FALSE;
+ EC_KEY* key;
/* Initialize SSL crap */
debug("Initialize SSL");
@@ -1493,6 +1494,13 @@ set_ssl(struct shttpd_ctx *ctx, const ch
else
retval = TRUE;
+ /* This enables ECDH Perfect Forward secrecy. Currently with just the most generic p256 prime curve */
+ key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ if (key != NULL) {
+ SSL_CTX_set_tmp_ecdh(CTX, key);
+ EC_KEY_free(key);
+ }
+
while (ssl_disabled_protocols) {
struct ctx_opts_t {
char *name;