net: enable automatic EC curve selection for OpenSSL 1.0.2

This setting is required for servers running OpenSSL < 1.1.0 to support EC-based secure ciphers that is now part of the default cipher list.
author: Leorize <leorize+oss@disroot.org> 2020-06-04 00:01:13 -0500
committer: Andreas Rumpf <rumpf_a@web.de> 2020-06-06 21:11:53 +0200
commit: 6c0f86c486f6491a2602e95228e63f3c44ab14fc (patch)
tree: 794c1b5e737088dbdbb5c473abd7abe6d725e949 /lib/pure
parent: 9278e785bd9490029ea2f9eb353d241fd14b302a (diff)
download: Nim-6c0f86c486f6491a2602e95228e63f3c44ab14fc.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/pure/net.nim b/lib/pure/net.nim
index a5643330e..f628ee056 100644
--- a/lib/pure/net.nim
+++ b/lib/pure/net.nim
@@ -580,6 +580,13 @@ when defineSsl:
 
     if newCTX.SSL_CTX_set_cipher_list(cipherList) != 1:
       raiseSSLError()
+    # Automatically the best ECDH curve for client exchange. Without this, ECDH
+    # ciphers will be ignored by the server.
+    #
+    # From OpenSSL >= 1.1.0, this setting is set by default and can't be
+    # overriden.
+    if newCTX.SSL_CTX_set_ecdh_auto(1) != 1:
+      raiseSSLError()
 
     when defined(nimDisableCertificateValidation) or defined(windows):
       newCTX.SSL_CTX_set_verify(SSL_VERIFY_NONE, nil)
author	Leorize <leorize+oss@disroot.org>	2020-06-04 00:01:13 -0500
committer	Andreas Rumpf <rumpf_a@web.de>	2020-06-06 21:11:53 +0200
commit	6c0f86c486f6491a2602e95228e63f3c44ab14fc (patch)
tree	794c1b5e737088dbdbb5c473abd7abe6d725e949 /lib/pure
parent	9278e785bd9490029ea2f9eb353d241fd14b302a (diff)
download	Nim-6c0f86c486f6491a2602e95228e63f3c44ab14fc.tar.gz