nghttpd: More SSL_CTX options and support EDCHE cipher

b5341eba · Tatsuhiro Tsujikawa · e34b8ac7 · b5341eba
Commit b5341eba authored Mar 03, 2014 by Tatsuhiro Tsujikawa
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 1 deletion

src/HttpServer.cc src/HttpServer.cc +30 -1

No files found.
--- a/src/HttpServer.cc
+++ b/src/HttpServer.cc
@@ -1155,10 +1155,39 @@ int HttpServer::run()
      std::cerr << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
      return -1;
    }
-    SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
+    SSL_CTX_set_options(ssl_ctx,
+                        SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION |
+                        SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
+                        SSL_OP_SINGLE_ECDH_USE |
+                        SSL_OP_NO_TICKET);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+    const unsigned char sid_ctx[] = "nghttpd";
+    SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx)-1);
+    SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
+#ifndef OPENSSL_NO_EC
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+    SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
+#else // OPENSSL_VERSION_NUBMER < 0x10002000L
+    // Use P-256, which is sufficiently secure at the time of this
+    // writing.
+    auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+    if(ecdh == nullptr) {
+      std::cerr << "EC_KEY_new_by_curv_name failed: "
+                << ERR_error_string(ERR_get_error(), nullptr);
+      return -1;
+    }
+    SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
+    EC_KEY_free(ecdh);
+#endif // OPENSSL_VERSION_NUBMER < 0x10002000L
+#endif /* OPENSSL_NO_EC */
    if(SSL_CTX_use_PrivateKey_file(ssl_ctx,
                                   config_->private_key_file.c_str(),
                                   SSL_FILETYPE_PEM) != 1) {