[pve-devel] [PATCH manager] Add ECDH curves to use with modern ciphers
Jos Ewert
flami at flami.net
Mon Oct 31 19:16:41 CET 2016
The TLS_ECDHE_* ciphers will automatically be used be the proxy
as they are in the HIGH ciphersuite.
---
PVE/HTTPServer.pm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 1e27bba..e38542b 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -1625,6 +1625,13 @@ sub new {
if ($self->{ssl}) {
$self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION);
+ # ECDH curve ( Net-SSLeay >= 1.56, openssl >= 1.0.0 )
+ if ( exists &Net::SSLeay::CTX_set_tmp_ecdh ) {
+ my $curve = Net::SSLeay::OBJ_txt2nid('prime256v1');
+ my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve);
+ Net::SSLeay::CTX_set_tmp_ecdh( $self->{tls_ctx}->{ctx}, $ecdh );
+ Net::SSLeay::EC_KEY_free($ecdh);
+ }
}
if ($self->{spiceproxy}) {
--
2.7.4
More information about the pve-devel
mailing list