<p>Joshua Colp <strong>merged</strong> this change.</p><p><a href="https://gerrit.asterisk.org/9056">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Joshua Colp: Looks good to me, but someone else must approve; Approved for Submit
George Joseph: Looks good to me, approved
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">tcptls: Allow OpenSSL configured with no-dh.<br><br>Additionally, this change allows auto-negotiation of the elliptic curve/group<br>for servers, not only with OpenSSL 1.0.2 but also with OpenSSL 1.1.0 and newer.<br>This enables X25519 (since OpenSSL 1.1.0) and X448 (since OpenSSL 1.1.1) as a<br>side-effect.<br><br>ASTERISK-27876<br><br>Change-Id: I62c2aba4a630aefc231b71f646207e8c027d9497<br>---<br>M main/tcptls.c<br>1 file changed, 5 insertions(+), 4 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/main/tcptls.c b/main/tcptls.c<br>index 8ffeabb..d6dfcf0 100644<br>--- a/main/tcptls.c<br>+++ b/main/tcptls.c<br>@@ -454,8 +454,7 @@<br> }<br> }<br> <br>-#ifdef HAVE_OPENSSL_EC<br>-<br>+#ifndef OPENSSL_NO_DH<br> if (!ast_strlen_zero(cfg->pvtfile)) {<br> BIO *bio = BIO_new_file(cfg->pvtfile, "r");<br> if (bio != NULL) {<br>@@ -471,12 +470,15 @@<br> BIO_free(bio);<br> }<br> }<br>+#endif<br>+<br> #ifndef SSL_CTRL_SET_ECDH_AUTO<br> #define SSL_CTRL_SET_ECDH_AUTO 94<br> #endif<br> /* SSL_CTX_set_ecdh_auto(cfg->ssl_ctx, on); requires OpenSSL 1.0.2 which wraps: */<br> if (SSL_CTX_ctrl(cfg->ssl_ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {<br> ast_verb(2, "TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled\n");<br>+#if !defined(OPENSSL_NO_ECDH) && (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)<br> } else {<br> /* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */<br> EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);<br>@@ -486,9 +488,8 @@<br> }<br> EC_KEY_free(ecdh);<br> }<br>+#endif<br> }<br>-<br>-#endif /* #ifdef HAVE_OPENSSL_EC */<br> <br> ast_verb(2, "TLS/SSL certificate ok\n"); /* We should log which one that is ok. This message doesn't really make sense in production use */<br> return 1;<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/9056">change 9056</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/9056"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 15 </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: I62c2aba4a630aefc231b71f646207e8c027d9497 </div>
<div style="display:none"> Gerrit-Change-Number: 9056 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Alexander Traud <pabstraud@compuserve.com> </div>
<div style="display:none"> Gerrit-Reviewer: Alexander Traud <pabstraud@compuserve.com> </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins2 </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@digium.com> </div>