[pve-devel] applied: [PATCH manager] Add ECDH curves to use with modern ciphers
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Nov 8 09:36:17 CET 2016
applied, thanks for your contribution!
On Thu, Nov 03, 2016 at 12:18:37AM +0100, Jos Ewert wrote:
> This patch adds curves to use with TLS_ECDHE_* ciphers
> They will automatically be used be the proxy as they are
> in the HIGH ciphersuite.
>
> This patch uses the prime256v1 curve, which should be supported
> by most clients. openssl 1.0.1 only supports a single curve.
>
> This also forces the use of new DHE and ECDHE keys on every
> handshake. This does not seem to have an impact on performance.
>
> Signed-Off-By: Jos Ewert flami at flami.net
> ---
> PVE/HTTPServer.pm | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
> index 1e27bba..1712c10 100755
> --- a/PVE/HTTPServer.pm
> +++ b/PVE/HTTPServer.pm
> @@ -1624,7 +1624,15 @@ sub new {
>
> if ($self->{ssl}) {
> $self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
> - Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION);
> + # TODO : openssl >= 1.0.2 supports SSL_CTX_set_ecdh_auto to select a curve depending on
> + # server and client availability from SSL_CTX_set1_curves.
> + # that way other curves like 25519 can be used.
> + # openssl 1.0.1 can only support 1 curve at a time.
> + my $curve = Net::SSLeay::OBJ_txt2nid('prime256v1');
> + my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve);
> + Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE);
> + Net::SSLeay::CTX_set_tmp_ecdh($self->{tls_ctx}->{ctx}, $ecdh);
> + Net::SSLeay::EC_KEY_free($ecdh);
> }
>
> if ($self->{spiceproxy}) {
> --
> 2.7.4
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list