[pve-devel] applied: [PATCH http-server] fix #1332: allow ECDHE with all supported curves

[Wolfgang Bumiller]

applied

On Thu, Mar 30, 2017 at 11:54:39AM +0200, Fabian Grünbichler wrote:
> with openssl 1.0.1, we had to limit ourself to one curve to
> allow ECDHE at all.
> 
> with openssl 1.1.x, the same limit actually means only
> allowing ECDSA certificates using that curve, even for
> non-ephemeral ECDH handshakes, effectively only allowing
> prime256 EC certificates.
> 
> since openssl 1.1.x supports auto-negotiation of the curve
> used for ECDHE, simply use that for now.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> tested with openssl's s_client and Chromium
> 
> for master / PVE 5.0 only
> 
>  PVE/APIServer/AnyEvent.pm | 8 --------
>  1 file changed, 8 deletions(-)
> 
> diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
> index f9970e6..222faab 100755
> --- a/PVE/APIServer/AnyEvent.pm
> +++ b/PVE/APIServer/AnyEvent.pm
> @@ -1616,15 +1616,7 @@ sub new {
>  
>      if ($self->{ssl}) {
>  	$self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
> -	# TODO : openssl >= 1.0.2 supports SSL_CTX_set_ecdh_auto to select a curve depending on
> -	# server and client availability from SSL_CTX_set1_curves.
> -	# that way other curves like 25519 can be used.
> -	# openssl 1.0.1 can only support 1 curve at a time.
> -	my $curve = Net::SSLeay::OBJ_txt2nid('prime256v1');
> -	my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve);
>  	Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE);
> -	Net::SSLeay::CTX_set_tmp_ecdh($self->{tls_ctx}->{ctx}, $ecdh);
> -	Net::SSLeay::EC_KEY_free($ecdh);
>      }
>  
>      if ($self->{spiceproxy}) {
> -- 
> 2.1.4