applied On Thu, Mar 30, 2017 at 11:54:39AM +0200, Fabian Grünbichler wrote: > with openssl 1.0.1, we had to limit ourself to one curve to > allow ECDHE at all. > > with openssl 1.1.x, the same limit actually means only > allowing ECDSA certificates using that curve, even for > non-ephemeral ECDH handshakes, effectively only allowing > prime256 EC certificates. > > since openssl 1.1.x supports auto-negotiation of the curve > used for ECDHE, simply use that for now. > > Signed-off-by: Fabian Grünbichler <[email protected]> > --- > tested with openssl's s_client and Chromium > > for master / PVE 5.0 only > > PVE/APIServer/AnyEvent.pm | 8 -------- > 1 file changed, 8 deletions(-) > > diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm > index f9970e6..222faab 100755 > --- a/PVE/APIServer/AnyEvent.pm > +++ b/PVE/APIServer/AnyEvent.pm > @@ -1616,15 +1616,7 @@ sub new { > > if ($self->{ssl}) { > $self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}}); > - # TODO : openssl >= 1.0.2 supports SSL_CTX_set_ecdh_auto to select a > curve depending on > - # server and client availability from SSL_CTX_set1_curves. > - # that way other curves like 25519 can be used. > - # openssl 1.0.1 can only support 1 curve at a time. > - my $curve = Net::SSLeay::OBJ_txt2nid('prime256v1'); > - my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve); > Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, > &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | > &Net::SSLeay::OP_SINGLE_DH_USE); > - Net::SSLeay::CTX_set_tmp_ecdh($self->{tls_ctx}->{ctx}, $ecdh); > - Net::SSLeay::EC_KEY_free($ecdh); > } > > if ($self->{spiceproxy}) { > -- > 2.1.4
_______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
