[pve-devel] [PATCH http-server] fix #1332: allow ECDHE with all supported curves

[Fabian Grünbichler]

with openssl 1.0.1, we had to limit ourself to one curve to
allow ECDHE at all.

with openssl 1.1.x, the same limit actually means only
allowing ECDSA certificates using that curve, even for
non-ephemeral ECDH handshakes, effectively only allowing
prime256 EC certificates.

since openssl 1.1.x supports auto-negotiation of the curve
used for ECDHE, simply use that for now.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
tested with openssl's s_client and Chromium

for master / PVE 5.0 only

 PVE/APIServer/AnyEvent.pm | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
index f9970e6..222faab 100755
--- a/PVE/APIServer/AnyEvent.pm
+++ b/PVE/APIServer/AnyEvent.pm
@@ -1616,15 +1616,7 @@ sub new {
 
     if ($self->{ssl}) {
 	$self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
-	# TODO : openssl >= 1.0.2 supports SSL_CTX_set_ecdh_auto to select a curve depending on
-	# server and client availability from SSL_CTX_set1_curves.
-	# that way other curves like 25519 can be used.
-	# openssl 1.0.1 can only support 1 curve at a time.
-	my $curve = Net::SSLeay::OBJ_txt2nid('prime256v1');
-	my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve);
 	Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE);
-	Net::SSLeay::CTX_set_tmp_ecdh($self->{tls_ctx}->{ctx}, $ecdh);
-	Net::SSLeay::EC_KEY_free($ecdh);
     }
 
     if ($self->{spiceproxy}) {
-- 
2.1.4