Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C17C6106D7 for ; Mon, 17 Feb 2014 14:12:04 +0000 (UTC) Received: (qmail 29078 invoked by uid 500); 17 Feb 2014 14:12:02 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 29019 invoked by uid 500); 17 Feb 2014 14:12:02 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 29012 invoked by uid 99); 17 Feb 2014 14:12:02 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Feb 2014 14:12:02 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Feb 2014 14:11:59 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id CD86E23889E7; Mon, 17 Feb 2014 14:11:38 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1569005 - in /httpd/httpd/branches/2.4.x: ./ STATUS modules/ssl/ssl_engine_init.c Date: Mon, 17 Feb 2014 14:11:38 -0000 To: cvs@httpd.apache.org From: jim@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20140217141138.CD86E23889E7@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: jim Date: Mon Feb 17 14:11:38 2014 New Revision: 1569005 URL: http://svn.apache.org/r1569005 Log: Merge r1563420 from trunk: enable auto curve selection for ephemeral ECDH keys when compiled against OpenSSL 1.0.2 or later Submitted by: kbrand Reviewed/backported by: jim Modified: httpd/httpd/branches/2.4.x/ (props changed) httpd/httpd/branches/2.4.x/STATUS httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Propchange: httpd/httpd/branches/2.4.x/ ------------------------------------------------------------------------------ Merged /httpd/httpd/trunk:r1563420 Modified: httpd/httpd/branches/2.4.x/STATUS URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1569005&r1=1569004&r2=1569005&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/STATUS (original) +++ httpd/httpd/branches/2.4.x/STATUS Mon Feb 17 14:11:38 2014 @@ -98,11 +98,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_ssl: enable auto curve selection for ECDHE / OpenSSL 1.0.2 - trunk patch: https://svn.apache.org/r1563420 - 2.4.x patch: trunk patch works - +1: kbrand, drh, ylavic - * mod_remoteip: Correct the trusted proxy match test. PR54651 trunk patch: https://svn.apache.org/r1564052 2.4.x patch: trunk works Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1569005&r1=1569004&r2=1569005&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original) +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Mon Feb 17 14:11:38 2014 @@ -1083,11 +1083,16 @@ static apr_status_t ssl_init_server_cert OBJ_nid2sn(nid), vhost_id, mctx->pks->cert_files[0]); } /* - * ...otherwise, configure NIST P-256 (required to enable ECDHE) + * ...otherwise, enable auto curve selection (OpenSSL 1.0.2 and later) + * or configure NIST P-256 (required to enable ECDHE for earlier versions) */ else { +#if defined(SSL_CTX_set_ecdh_auto) + SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1); +#else SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); +#endif } #endif