[pve-devel] [PATCH manager] Add ECDH curves to use with modern ciphers

Jos Ewert flami at flami.net
Thu Nov 3 00:18:37 CET 2016


This patch adds curves to use with TLS_ECDHE_* ciphers
They will automatically be used be the proxy as they are
in the HIGH ciphersuite.

This patch uses the prime256v1 curve, which should be supported
by most clients. openssl 1.0.1 only supports a single curve.

This also forces the use of new DHE and ECDHE keys on every
handshake. This does not seem to have an impact on performance.

Signed-Off-By: Jos Ewert flami at flami.net
---
 PVE/HTTPServer.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 1e27bba..1712c10 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -1624,7 +1624,15 @@ sub new {
 
     if ($self->{ssl}) {
 	$self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
-	Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION);
+	# TODO : openssl >= 1.0.2 supports SSL_CTX_set_ecdh_auto to select a curve depending on 
+	# server and client availability from SSL_CTX_set1_curves. 
+	# that way other curves like 25519 can be used.
+	# openssl 1.0.1 can only support 1 curve at a time.
+	my $curve = Net::SSLeay::OBJ_txt2nid('prime256v1');
+	my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve);
+	Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE);
+	Net::SSLeay::CTX_set_tmp_ecdh($self->{tls_ctx}->{ctx}, $ecdh);
+	Net::SSLeay::EC_KEY_free($ecdh);
     }
 
     if ($self->{spiceproxy}) {
-- 
2.7.4





More information about the pve-devel mailing list