From 10f9a4b775db22cf5fad1b83df114fa2d6d6459a Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Thu, 30 Mar 2017 11:54:39 +0200 Subject: [PATCH] fix #1332: allow ECDHE with all supported curves MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit with openssl 1.0.1, we had to limit ourself to one curve to allow ECDHE at all. with openssl 1.1.x, the same limit actually means only allowing ECDSA certificates using that curve, even for non-ephemeral ECDH handshakes, effectively only allowing prime256 EC certificates. since openssl 1.1.x supports auto-negotiation of the curve used for ECDHE, simply use that for now. Signed-off-by: Fabian Grünbichler --- PVE/APIServer/AnyEvent.pm | 8 -------- 1 file changed, 8 deletions(-) diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm index f9970e6..222faab 100755 --- a/PVE/APIServer/AnyEvent.pm +++ b/PVE/APIServer/AnyEvent.pm @@ -1616,15 +1616,7 @@ sub new { if ($self->{ssl}) { $self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}}); - # TODO : openssl >= 1.0.2 supports SSL_CTX_set_ecdh_auto to select a curve depending on - # server and client availability from SSL_CTX_set1_curves. - # that way other curves like 25519 can be used. - # openssl 1.0.1 can only support 1 curve at a time. - my $curve = Net::SSLeay::OBJ_txt2nid('prime256v1'); - my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve); Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE); - Net::SSLeay::CTX_set_tmp_ecdh($self->{tls_ctx}->{ctx}, $ecdh); - Net::SSLeay::EC_KEY_free($ecdh); } if ($self->{spiceproxy}) { -- 2.39.5