SSL Context: Explicitly load ECC ciphers on el7

Otherwise curl/nss as client won't be able to use the
new default cipher list.

fixes #7247
This commit is contained in:
Michael Friedrich 2019-06-18 14:58:19 +02:00
parent 8b5ebe9aa1
commit 9c92368774
1 changed files with 3 additions and 0 deletions

View File

@ -73,6 +73,9 @@ static void SetupSslContext(SSL_CTX *sslContext, const String& pubkey, const Str
SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)"Icinga 2", 8); SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)"Icinga 2", 8);
// Explicitly load ECC ciphers, required on el7 - https://github.com/Icinga/icinga2/issues/7247
SSL_CTX_set_ecdh_auto(sslContext, 1);
if (!pubkey.IsEmpty()) { if (!pubkey.IsEmpty()) {
if (!SSL_CTX_use_certificate_chain_file(sslContext, pubkey.CStr())) { if (!SSL_CTX_use_certificate_chain_file(sslContext, pubkey.CStr())) {
Log(LogCritical, "SSL") Log(LogCritical, "SSL")