[pve-devel] applied: [PATCH manager] Add ECDH curves to use with modern ciphers

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Nov 8 09:36:17 CET 2016


applied, thanks for your contribution!

On Thu, Nov 03, 2016 at 12:18:37AM +0100, Jos Ewert wrote:
> This patch adds curves to use with TLS_ECDHE_* ciphers
> They will automatically be used be the proxy as they are
> in the HIGH ciphersuite.
> 
> This patch uses the prime256v1 curve, which should be supported
> by most clients. openssl 1.0.1 only supports a single curve.
> 
> This also forces the use of new DHE and ECDHE keys on every
> handshake. This does not seem to have an impact on performance.
> 
> Signed-Off-By: Jos Ewert flami at flami.net
> ---
>  PVE/HTTPServer.pm | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
> index 1e27bba..1712c10 100755
> --- a/PVE/HTTPServer.pm
> +++ b/PVE/HTTPServer.pm
> @@ -1624,7 +1624,15 @@ sub new {
>  
>      if ($self->{ssl}) {
>  	$self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
> -	Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION);
> +	# TODO : openssl >= 1.0.2 supports SSL_CTX_set_ecdh_auto to select a curve depending on 
> +	# server and client availability from SSL_CTX_set1_curves. 
> +	# that way other curves like 25519 can be used.
> +	# openssl 1.0.1 can only support 1 curve at a time.
> +	my $curve = Net::SSLeay::OBJ_txt2nid('prime256v1');
> +	my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve);
> +	Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE);
> +	Net::SSLeay::CTX_set_tmp_ecdh($self->{tls_ctx}->{ctx}, $ecdh);
> +	Net::SSLeay::EC_KEY_free($ecdh);
>      }
>  
>      if ($self->{spiceproxy}) {
> -- 
> 2.7.4
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel




More information about the pve-devel mailing list