Hello,<br><br>Thanks Maxim for encouragment. Indeed, the patch was really terrible. I did some code clean-up. Hope, it should be fine right now. The ECDH was introduced in OpenSSL starting from version 0.9.8. There is a preprocessor check now.<span style="visibility: visible;" id="main"><span style="visibility: visible;" id="search"><span class="med"></span></span></span> Default EC curve is prime256v1.<br>
<br>Just to be sure, I paste the patch also here:<br><br>diff -rupN nginx-0.9.3/src/event/ngx_event_openssl.c nginx-0.9.3p/src/event/ngx_event_openssl.c<br>--- nginx-0.9.3/src/event/ngx_event_openssl.c 2011-01-05 20:38:18.000000000 +0200<br>
+++ nginx-0.9.3p/src/event/ngx_event_openssl.c 2011-01-05 20:33:55.000000000 +0200<br>@@ -478,6 +478,42 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_<br> return NGX_OK;<br> }<br> <br>+ngx_int_t<br>+ngx_ssl_eccurve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)<br>
+{<br>+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL<br>+#ifndef OPENSSL_NO_ECDH<br>+ EC_KEY *ecdh;<br>+ int nid;<br>+<br>+ /*<br>+ * Elliptic-Curve Diffie-Hellman parameters are either "named curves"<br>
+ * from RFC 4492 section 5.1.1, or explicitely described curves over<br>+ * binary fields. OpenSSL only supports the "named curves", which provide<br>+ * maximum interoperability.<br>+ */<br>+<br>
+ nid = OBJ_sn2nid((const char *)name->data);<br>+ if (nid == 0) {<br>+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,<br>+ "Unknown curve name (%s)", name->data);<br>+ return NGX_ERROR;<br>
+ }<br>+<br>+ ecdh = EC_KEY_new_by_curve_name(nid);<br>+ if (ecdh == NULL) {<br>+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,<br>+ "Unable to create curve (%s)", name->data);<br>
+ return NGX_ERROR;<br>+ }<br>+<br>+ SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);<br>+<br>+ EC_KEY_free(ecdh);<br>+#endif<br>+#endif<br>+ return NGX_OK;<br>+}<br> <br> ngx_int_t<br> ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)<br>
diff -rupN nginx-0.9.3/src/event/ngx_event_openssl.h nginx-0.9.3p/src/event/ngx_event_openssl.h<br>--- nginx-0.9.3/src/event/ngx_event_openssl.h 2011-01-05 20:38:16.000000000 +0200<br>+++ nginx-0.9.3p/src/event/ngx_event_openssl.h 2011-01-05 20:33:53.000000000 +0200<br>
@@ -101,6 +101,7 @@ ngx_int_t ngx_ssl_client_certificate(ngx<br> ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);<br> ngx_int_t ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl);<br> ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);<br>
+ngx_int_t ngx_ssl_eccurve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);<br> ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,<br> ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);<br>
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,<br>diff -rupN nginx-0.9.3/src/http/modules/ngx_http_ssl_module.c nginx-0.9.3p/src/http/modules/ngx_http_ssl_module.c<br>--- nginx-0.9.3/src/http/modules/ngx_http_ssl_module.c 2011-01-05 20:38:28.000000000 +0200<br>
+++ nginx-0.9.3p/src/http/modules/ngx_http_ssl_module.c 2011-01-05 21:15:29.000000000 +0200<br>@@ -14,7 +14,7 @@ typedef ngx_int_t (*ngx_ssl_variable_han<br> <br> <br> #define NGX_DEFAULT_CIPHERS "HIGH:!ADH:!MD5"<br>
-<br>+#define NGX_DEFAULT_ECCURVE "prime256v1"<br> <br> static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,<br> ngx_http_variable_value_t *v, uintptr_t data);<br>@@ -78,6 +78,13 @@ static ngx_command_t ngx_http_ssl_comma<br>
offsetof(ngx_http_ssl_srv_conf_t, dhparam),<br> NULL },<br> <br>+ { ngx_string("ssl_eccurve"),<br>+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,<br>+ ngx_conf_set_str_slot,<br>+ NGX_HTTP_SRV_CONF_OFFSET,<br>
+ offsetof(ngx_http_ssl_srv_conf_t, eccurve),<br>+ NULL },<br>+<br> { ngx_string("ssl_protocols"),<br> NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,<br> ngx_conf_set_bitmask_slot,<br>
@@ -312,6 +319,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t <br> * sscf->certificate = { 0, NULL };<br> * sscf->certificate_key = { 0, NULL };<br> * sscf->dhparam = { 0, NULL };<br>+ * sscf->eccurve = { 0, NULL };<br>
* sscf->client_certificate = { 0, NULL };<br> * sscf->crl = { 0, NULL };<br> * sscf->ciphers = { 0, NULL };<br>@@ -360,6 +368,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *<br> "");<br>
ngx_conf_merge_str_value(conf->crl, prev->crl, "");<br> <br>+ ngx_conf_merge_str_value(conf->eccurve, prev->eccurve, NGX_DEFAULT_ECCURVE);<br>+<br> ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);<br>
<br> <br>@@ -473,6 +483,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *<br> return NGX_CONF_ERROR;<br> }<br> <br>+ if (ngx_ssl_eccurve(cf, &conf->ssl, &conf->eccurve) != NGX_OK) {<br>+ return NGX_CONF_ERROR;<br>
+ }<br>+<br> ngx_conf_merge_value(conf->builtin_session_cache,<br> prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);<br> <br>diff -rupN nginx-0.9.3/src/http/modules/ngx_http_ssl_module.h nginx-0.9.3p/src/http/modules/ngx_http_ssl_module.h<br>
--- nginx-0.9.3/src/http/modules/ngx_http_ssl_module.h 2011-01-05 20:38:37.000000000 +0200<br>+++ nginx-0.9.3p/src/http/modules/ngx_http_ssl_module.h 2011-01-05 20:34:16.000000000 +0200<br>@@ -32,6 +32,7 @@ typedef struct {<br>
ngx_str_t certificate;<br> ngx_str_t certificate_key;<br> ngx_str_t dhparam;<br>+ ngx_str_t eccurve;<br> ngx_str_t client_certificate;<br>
ngx_str_t crl;<br> <br>diff -rupN nginx-0.9.3/src/mail/ngx_mail_ssl_module.c nginx-0.9.3p/src/mail/ngx_mail_ssl_module.c<br>--- nginx-0.9.3/src/mail/ngx_mail_ssl_module.c 2011-01-05 20:37:52.000000000 +0200<br>
+++ nginx-0.9.3p/src/mail/ngx_mail_ssl_module.c 2011-01-05 20:33:43.000000000 +0200<br>@@ -10,7 +10,7 @@<br> <br> <br> #define NGX_DEFAULT_CIPHERS "HIGH:!ADH:!MD5"<br>-<br>+#define NGX_DEFAULT_ECCURVE "prime256v1"<br>
<br> static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);<br> static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);<br>@@ -77,6 +77,13 @@ static ngx_command_t ngx_mail_ssl_comma<br> offsetof(ngx_mail_ssl_conf_t, dhparam),<br>
NULL },<br> <br>+ { ngx_string("ssl_eccurve"),<br>+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,<br>+ ngx_conf_set_str_slot,<br>+ NGX_MAIL_SRV_CONF_OFFSET,<br>+ offsetof(ngx_mail_ssl_conf_t, eccurve),<br>
+ NULL },<br>+<br> { ngx_string("ssl_protocols"),<br> NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE,<br> ngx_conf_set_bitmask_slot,<br>@@ -163,6 +170,7 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)<br>
* scf->certificate = { 0, NULL };<br> * scf->certificate_key = { 0, NULL };<br> * scf->dhparam = { 0, NULL };<br>+ * scf->eccurve = { 0, NULL };<br> * scf->ciphers = { 0, NULL };<br>
* scf->shm_zone = NULL;<br> */<br>@@ -204,6 +212,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, <br> <br> ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");<br> <br>+ ngx_conf_merge_str_value(conf->eccurve, prev->eccurve, NGX_DEFAULT_ECCURVE);<br>
+<br> ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);<br> <br> <br>diff -rupN nginx-0.9.3/src/mail/ngx_mail_ssl_module.h nginx-0.9.3p/src/mail/ngx_mail_ssl_module.h<br>--- nginx-0.9.3/src/mail/ngx_mail_ssl_module.h 2011-01-05 20:37:52.000000000 +0200<br>
+++ nginx-0.9.3p/src/mail/ngx_mail_ssl_module.h 2011-01-05 20:33:43.000000000 +0200<br>@@ -34,6 +34,7 @@ typedef struct {<br> ngx_str_t certificate;<br> ngx_str_t certificate_key;<br> ngx_str_t dhparam;<br>
+ ngx_str_t eccurve;<br> <br> ngx_str_t ciphers;<br> <br><br>