Support for ECDHE-ECDSA family ciphers.

eclipse · Jul 3, 2014 · fb7dd42 · fb7dd42
1 parent 4081861
commit fb7dd42
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -1,4 +1,6 @@
+Broker:
 - Default TLS mode now accepts TLS v1.2, v1.1 and v1.0.
+- Support for ECDHE-ECDSA family ciphers.
 
 Clients:
 - Both clients can now load default configuration options from a file.

diff --git a/src/net.c b/src/net.c
@@ -256,6 +256,9 @@ static int _mosquitto_tls_server_ctx(struct _mqtt3_listener *listener)
  int ssl_options = 0;
  char buf[256];
  int rc;
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10002000L
+ EC_KEY *ecdh = NULL;
+#endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
  if(listener->tls_version == NULL){
@@ -291,6 +294,19 @@ static int _mosquitto_tls_server_ctx(struct _mqtt3_listener *listener)
  /* Use even less memory per SSL connection. */
  SSL_CTX_set_mode(listener->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ SSL_CTX_set_ecdh_auto(listener->ssl_ctx, 1);
+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10002000L
+ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ if(!ecdh){
+ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to create TLS ECDH curve.");
+ return 1;
+ }
+ SSL_CTX_set_tmp_ecdh(listener->ssl_ctx, ecdh);
+ EC_KEY_free(ecdh);
+#endif
+
  snprintf(buf, 256, "mosquitto-%d", listener->port);
  SSL_CTX_set_session_id_context(listener->ssl_ctx, (unsigned char *)buf, strlen(buf));