From 46c914323277b089946f8c300bee794c7dd3286a Mon Sep 17 00:00:00 2001 From: Doug Coleman Date: Fri, 4 Mar 2016 10:05:09 -0800 Subject: [PATCH] openssl: call SSL_CTX_set_ecdh_auto() for forward secrecy. --- basis/io/sockets/secure/openssl/openssl.factor | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/basis/io/sockets/secure/openssl/openssl.factor b/basis/io/sockets/secure/openssl/openssl.factor index d9cf7d09a6..58c9709074 100644 --- a/basis/io/sockets/secure/openssl/openssl.factor +++ b/basis/io/sockets/secure/openssl/openssl.factor @@ -115,6 +115,10 @@ M: bio dispose* handle>> BIO_free ssl-error ; SSL_CTX_set_tmp_dh ssl-error ] [ drop ] if ; +! Attempt to set ecdh. If it fails, ignore...? +: set-ecdh-params ( ctx -- ) + handle>> SSL_CTRL_SET_ECDH_AUTO 1 f SSL_CTX_ctrl drop ; + : ( config ctx -- context ) openssl-context new-disposable swap >>handle @@ -135,6 +139,7 @@ M: openssl ( config -- context ) [ load-verify-locations ] [ set-verify-depth ] [ load-dh-params ] + [ set-ecdh-params ] [ ] } cleave ] with-destructors ; @@ -166,7 +171,7 @@ SYMBOL: default-secure-context : set-secure-cipher-list-only ( ssl -- ssl ) dup handle>> - "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:AES128-SHA:CAMELLIA128-SHA:AES256-SHA:CAMELLIA256-SHA" + "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-SHA:CAMELLIA256-SHA" SSL_set_cipher_list ssl-error ; : ( fd -- ssl )