diff options
| author | Leorize <leorize+oss@disroot.org> | 2020-06-04 00:01:13 -0500 |
|---|---|---|
| committer | Andreas Rumpf <rumpf_a@web.de> | 2020-06-06 21:11:53 +0200 |
| commit | 6c0f86c486f6491a2602e95228e63f3c44ab14fc (patch) | |
| tree | 794c1b5e737088dbdbb5c473abd7abe6d725e949 /lib | |
| parent | 9278e785bd9490029ea2f9eb353d241fd14b302a (diff) | |
| download | Nim-6c0f86c486f6491a2602e95228e63f3c44ab14fc.tar.gz | |
net: enable automatic EC curve selection for OpenSSL 1.0.2
This setting is required for servers running OpenSSL < 1.1.0 to support EC-based secure ciphers that is now part of the default cipher list.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pure/net.nim | 7 | ||||
| -rw-r--r-- | lib/wrappers/openssl.nim | 16 |
2 files changed, 23 insertions, 0 deletions
diff --git a/lib/pure/net.nim b/lib/pure/net.nim index a5643330e..f628ee056 100644 --- a/lib/pure/net.nim +++ b/lib/pure/net.nim @@ -580,6 +580,13 @@ when defineSsl: if newCTX.SSL_CTX_set_cipher_list(cipherList) != 1: raiseSSLError() + # Automatically the best ECDH curve for client exchange. Without this, ECDH + # ciphers will be ignored by the server. + # + # From OpenSSL >= 1.1.0, this setting is set by default and can't be + # overriden. + if newCTX.SSL_CTX_set_ecdh_auto(1) != 1: + raiseSSLError() when defined(nimDisableCertificateValidation) or defined(windows): newCTX.SSL_CTX_set_verify(SSL_VERIFY_NONE, nil) diff --git a/lib/wrappers/openssl.nim b/lib/wrappers/openssl.nim index cf248fc86..29cda3efc 100644 --- a/lib/wrappers/openssl.nim +++ b/lib/wrappers/openssl.nim @@ -181,6 +181,7 @@ const SSL_CTRL_SET_TLSEXT_SERVERNAME_CB = 53 SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG = 54 SSL_CTRL_SET_TLSEXT_HOSTNAME = 55 + SSL_CTRL_SET_ECDH_AUTO* = 94 TLSEXT_NAMETYPE_host_name* = 0 SSL_TLSEXT_ERR_OK* = 0 SSL_TLSEXT_ERR_ALERT_WARNING* = 1 @@ -263,6 +264,12 @@ when compileOption("dynlibOverride", "ssl") or defined(noOpenSSLHacks): proc SSL_library_init*(): cint {.cdecl, dynlib: DLLSSLName, importc, discardable.} proc SSL_load_error_strings*() {.cdecl, dynlib: DLLSSLName, importc.} proc SSLv23_method*(): PSSL_METHOD {.cdecl, dynlib: DLLSSLName, importc.} + + proc getOpenSSLVersion*(): culong = + ## This interface is not supported for OpenSSL < 1.1.0 and will + ## always return 0. The interface is provided to aid code + ## supporting multiple OpenSSL versions. + 0 else: proc OPENSSL_init_ssl*(opts: uint64, settings: uint8): cint {.cdecl, dynlib: DLLSSLName, importc, discardable.} proc SSL_library_init*(): cint {.discardable.} = @@ -588,6 +595,15 @@ proc SSL_CTX_use_psk_identity_hint*(ctx: SslCtx; hint: cstring): cint {.cdecl, d proc SSL_get_psk_identity*(ssl: SslPtr): cstring {.cdecl, dynlib: DLLSSLName, importc.} ## Get PSK identity. +proc SSL_CTX_set_ecdh_auto*(ctx: SslCtx, onoff: cint): cint {.inline.} = + ## Set automatic curve selection. + ## + ## On OpenSSL >= 1.1.0 this is on by default and cannot be disabled. + if getOpenSSLVersion() < 0x010100000: + result = cint SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, onoff, nil) + else: + result = 1 + proc bioNew*(b: PBIO_METHOD): BIO{.cdecl, dynlib: DLLUtilName, importc: "BIO_new".} proc bioFreeAll*(b: BIO){.cdecl, dynlib: DLLUtilName, importc: "BIO_free_all".} proc bioSMem*(): PBIO_METHOD{.cdecl, dynlib: DLLUtilName, importc: "BIO_s_mem".} |