From 50332c40710ab421318c97be0c6ca94b71d4fe58 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Thu, 6 Aug 2020 15:24:42 +0900 Subject: [ruby/openssl] ssl: call SSL_CTX_set_ecdh_auto() on OpenSSL 1.0.2 only SSL_CTX_set_ecdh_auto() exists in OpenSSL 1.1.0 and LibreSSL 2.6.1, but it is made no-op and the automatic curve selection cannot be disabled. Wrap it with ifdef to make it clear that it is safe to remove it completely when we drop support for OpenSSL 1.0.2. https://github.com/ruby/openssl/commit/2ae8f21234 --- ext/openssl/ossl_ssl.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'ext/openssl') diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 2174b65b55..e8fb13f7ea 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -93,14 +93,15 @@ ossl_sslctx_s_alloc(VALUE klass) RTYPEDDATA_DATA(obj) = ctx; SSL_CTX_set_ex_data(ctx, ossl_sslctx_ex_ptr_idx, (void *)obj); -#if !defined(OPENSSL_NO_EC) +#if !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER < 0x10100000 && \ + !defined(LIBRESSL_VERSION_NUMBER) /* We use SSL_CTX_set1_curves_list() to specify the curve used in ECDH. It * allows to specify multiple curve names and OpenSSL will select * automatically from them. In OpenSSL 1.0.2, the automatic selection has to - * be enabled explicitly. But OpenSSL 1.1.0 removed the knob and it is - * always enabled. To uniform the behavior, we enable the automatic - * selection also in 1.0.2. Users can still disable ECDH by removing ECDH - * cipher suites by SSLContext#ciphers=. */ + * be enabled explicitly. OpenSSL 1.1.0 and LibreSSL 2.6.1 removed the knob + * and it is always enabled. To uniform the behavior, we enable the + * automatic selection also in 1.0.2. Users can still disable ECDH by + * removing ECDH cipher suites by SSLContext#ciphers=. */ if (!SSL_CTX_set_ecdh_auto(ctx, 1)) ossl_raise(eSSLError, "SSL_CTX_set_ecdh_auto"); #endif -- cgit v1.2.3