admin/webrtc_m130
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Don't override curve preferences in BoringSSL.

Browse Source 
BoringSSL has since fixed OpenSSL's API wart and can do ECDHE by default as a server. Notably, removing this call means that X25519 may be used as either client or server.

R=torbjorng@webrtc.org
TBR=juberti@webrtc.org

BUG=webrtc:5674

Review URL: https://codereview.webrtc.org/1823213002 .

Cr-Commit-Position: refs/heads/master@{#12120}
This commit is contained in:
David Benjamin 2016-03-24 13:28:25 -04:00
parent 027fd8f907
commit 60d5f3f4b7
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
webrtc/base/opensslstreamadapter.cc
View File

@ -783,15 +783,18 @@ int OpenSSLStreamAdapter::BeginSSL() {
SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
// Specify an ECDH group for ECDHE ciphers, otherwise they cannot be
// negotiated when acting as the server. Use NIST's P-256 which is commonly
// supported.
#if !defined(OPENSSL_IS_BORINGSSL)
// Specify an ECDH group for ECDHE ciphers, otherwise OpenSSL cannot
// negotiate them when acting as the server. Use NIST's P-256 which is
// commonly supported. BoringSSL doesn't need explicit configuration and has
// a reasonable default set.
EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ecdh == NULL)
return -1;
SSL_set_options(ssl_, SSL_OP_SINGLE_ECDH_USE);
SSL_set_tmp_ecdh(ssl_, ecdh);
EC_KEY_free(ecdh);
#endif
// Do the connect
return ContinueSSL();