Overview

File 0017-setup-ECDHE-to-allow-Perfect-Forward-Secrecy-using-t.patch of Package openwsman.16287

From 931535e12249cdf7f274caeff542852511ae44fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= <kkaempf@suse.de>
Date: Wed, 4 Jul 2018 14:44:10 +0200
Subject: [PATCH 17/17] setup ECDHE to allow Perfect Forward Secrecy, using the
 p256 NIST prime curve

Author: Marcus Meissner <meissner@suse.de>
---
 src/server/shttpd/config.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/server/shttpd/config.c b/src/server/shttpd/config.c
index b320d21b53d7..2c11b96d5ef8 100644
--- a/src/server/shttpd/config.c
+++ b/src/server/shttpd/config.c
@@ -89,6 +89,7 @@ set_ssl(struct shttpd_ctx *ctx, void *arg, const char *pem)
 	struct ssl_func	*fp;
         char *ssl_disabled_protocols = wsmand_options_get_ssl_disabled_protocols();
         char *ssl_cipher_list = wsmand_options_get_ssl_cipher_list();
+        EC_KEY* key;
 
 	arg = NULL;	/* Unused */
 
@@ -127,6 +128,14 @@ set_ssl(struct shttpd_ctx *ctx, void *arg, const char *pem)
                 SSL_CTX_free(CTX);
                 CTX = NULL;
         }
+
+        /* This enables ECDH Perfect Forward secrecy. Currently with just the most generic p256 prime curve */
+        key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+        if (key != NULL) {
+          SSL_CTX_set_tmp_ecdh(CTX, key);
+          EC_KEY_free(key);
+        }
+
 	while (ssl_disabled_protocols) {
           struct ctx_opts_t {
             char *name;
-- 
2.18.0
openSUSE Build Service is sponsored by
Places