From 60d5f3f4b7d6448ade12be703951816de2402ffd Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 24 Mar 2016 13:28:25 -0400 Subject: [PATCH] Don't override curve preferences in BoringSSL. BoringSSL has since fixed OpenSSL's API wart and can do ECDHE by default as a server. Notably, removing this call means that X25519 may be used as either client or server. R=torbjorng@webrtc.org TBR=juberti@webrtc.org BUG=webrtc:5674 Review URL: https://codereview.webrtc.org/1823213002 . Cr-Commit-Position: refs/heads/master@{#12120} --- webrtc/base/opensslstreamadapter.cc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/webrtc/base/opensslstreamadapter.cc b/webrtc/base/opensslstreamadapter.cc index 44f1b718f5..052e54df9f 100644 --- a/webrtc/base/opensslstreamadapter.cc +++ b/webrtc/base/opensslstreamadapter.cc @@ -783,15 +783,18 @@ int OpenSSLStreamAdapter::BeginSSL() { SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); - // Specify an ECDH group for ECDHE ciphers, otherwise they cannot be - // negotiated when acting as the server. Use NIST's P-256 which is commonly - // supported. +#if !defined(OPENSSL_IS_BORINGSSL) + // Specify an ECDH group for ECDHE ciphers, otherwise OpenSSL cannot + // negotiate them when acting as the server. Use NIST's P-256 which is + // commonly supported. BoringSSL doesn't need explicit configuration and has + // a reasonable default set. EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (ecdh == NULL) return -1; SSL_set_options(ssl_, SSL_OP_SINGLE_ECDH_USE); SSL_set_tmp_ecdh(ssl_, ecdh); EC_KEY_free(ecdh); +#endif // Do the connect return ContinueSSL();