Configure ECDH parameters in connector

1 files changed, 17 insertions, 0 deletions

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 7d0bc4cd..625c37e8 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -129,6 +129,7 @@ impl ServerConnectorBuilder {
         ctx.set_options(ssl::SSL_OP_SINGLE_DH_USE | ssl::SSL_OP_CIPHER_SERVER_PREFERENCE);
         let dh = try!(Dh::from_pem(DHPARAM_PEM.as_bytes()));
         try!(ctx.set_tmp_dh(&dh));
+        try!(setup_curves(&mut ctx));
         try!(ctx.set_cipher_list(
             "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
              ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\
@@ -165,6 +166,22 @@ impl ServerConnectorBuilder {
     }
 }
 
+#[cfg(ossl101)]
+fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+    let curve = try!(::ec_key::EcKey::new_by_curve_name(::nid::X9_62_PRIME256V1));
+    ctx.set_tmp_ecdh(&curve)
+}
+
+#[cfg(ossl102)]
+fn setup_curves(ctx: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+    ctx._set_ecdh_auto(true)
+}
+
+#[cfg(ossl110)]
+fn setup_curves(_: &mut SslContextBuilder) -> Result<(), ErrorStack> {
+    Ok(())
+}
+
 /// A type which wraps server-side streams in a TLS session.
 ///
 /// OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL