openssl: call SSL_CTX_set_ecdh_auto() for forward secrecy.

2016-03-04 10:05:09 -08:00 · 2016-03-04 10:05:09 -08:00 · 46c9143232
parent 777528fd40
commit 46c9143232
1 changed files with 6 additions and 1 deletions
--- a/basis/io/sockets/secure/openssl/openssl.factor
+++ b/basis/io/sockets/secure/openssl/openssl.factor
@ -115,6 +115,10 @@ M: bio dispose* handle>> BIO_free ssl-error ;
        SSL_CTX_set_tmp_dh ssl-error
    ] [ drop ] if ;

+! Attempt to set ecdh. If it fails, ignore...?
+: set-ecdh-params ( ctx -- )
+    handle>> SSL_CTRL_SET_ECDH_AUTO 1 f SSL_CTX_ctrl drop ;
+
 : <openssl-context> ( config ctx -- context )
    openssl-context new-disposable
        swap >>handle
@ -135,6 +139,7 @@ M: openssl <secure-context> ( config -- context )
            [ load-verify-locations ]
            [ set-verify-depth ]
            [ load-dh-params ]
+            [ set-ecdh-params ]
            [ ]
        } cleave
    ] with-destructors ;
@ -166,7 +171,7 @@ SYMBOL: default-secure-context

 : set-secure-cipher-list-only ( ssl -- ssl )
    dup handle>>
-    "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:AES128-SHA:CAMELLIA128-SHA:AES256-SHA:CAMELLIA256-SHA"
+    "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-SHA:CAMELLIA256-SHA"
    SSL_set_cipher_list ssl-error ;

 : <ssl-handle> ( fd -- ssl )