Hello,<br><br>Thanks Maxim for encouragment. Indeed, the patch was really terrible. I did some code clean-up. Hope, it should be fine right now. The ECDH was introduced in OpenSSL starting from version 0.9.8. There is a preprocessor check now.<span style="visibility: visible;" id="main"><span style="visibility: visible;" id="search"><span class="med"></span></span></span> Default EC curve is prime256v1.<br>
<br>Just to be sure, I paste the patch also here:<br><br>diff -rupN nginx-0.9.3/src/event/ngx_event_openssl.c nginx-0.9.3p/src/event/ngx_event_openssl.c<br>--- nginx-0.9.3/src/event/ngx_event_openssl.c   2011-01-05 20:38:18.000000000 +0200<br>
+++ nginx-0.9.3p/src/event/ngx_event_openssl.c   2011-01-05 20:33:55.000000000 +0200<br>@@ -478,6 +478,42 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_<br>    return NGX_OK;<br> }<br> <br>+ngx_int_t<br>+ngx_ssl_eccurve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)<br>
+{<br>+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL<br>+#ifndef OPENSSL_NO_ECDH<br>+   EC_KEY *ecdh;<br>+   int nid;<br>+<br>+   /*<br>+    * Elliptic-Curve Diffie-Hellman parameters are either "named curves"<br>
+Â Â Â Â * from RFC 4492 section 5.1.1, or explicitely described curves over<br>+Â Â Â Â * binary fields. OpenSSL only supports the "named curves", which provide<br>+Â Â Â Â * maximum interoperability.<br>+Â Â Â Â */<br>+<br>
+Â Â Â nid = OBJ_sn2nid((const char *)name->data);<br>+Â Â Â if (nid == 0) {<br>+Â Â Â Â Â Â Â ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,<br>+Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â "Unknown curve name (%s)", name->data);<br>+Â Â Â Â Â Â Â return NGX_ERROR;<br>
+Â Â Â }<br>+<br>+Â Â Â ecdh = EC_KEY_new_by_curve_name(nid);<br>+Â Â Â if (ecdh == NULL) {<br>+Â Â Â Â Â Â Â ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,<br>+Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â "Unable to create curve (%s)", name->data);<br>
+Â Â Â Â Â Â Â return NGX_ERROR;<br>+Â Â Â }<br>+<br>+Â Â Â SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);<br>+<br>+Â Â Â EC_KEY_free(ecdh);<br>+#endif<br>+#endif<br>+Â Â Â return NGX_OK;<br>+}<br>Â <br>Â ngx_int_t<br>Â ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)<br>
diff -rupN nginx-0.9.3/src/event/ngx_event_openssl.h nginx-0.9.3p/src/event/ngx_event_openssl.h<br>--- nginx-0.9.3/src/event/ngx_event_openssl.h   2011-01-05 20:38:16.000000000 +0200<br>+++ nginx-0.9.3p/src/event/ngx_event_openssl.h   2011-01-05 20:33:53.000000000 +0200<br>
@@ -101,6 +101,7 @@ ngx_int_t ngx_ssl_client_certificate(ngx<br>Â ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);<br>Â ngx_int_t ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl);<br>Â ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);<br>
+ngx_int_t ngx_ssl_eccurve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);<br>Â ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,<br>Â Â Â Â ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);<br>
 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,<br>diff -rupN nginx-0.9.3/src/http/modules/ngx_http_ssl_module.c nginx-0.9.3p/src/http/modules/ngx_http_ssl_module.c<br>--- nginx-0.9.3/src/http/modules/ngx_http_ssl_module.c   2011-01-05 20:38:28.000000000 +0200<br>
+++ nginx-0.9.3p/src/http/modules/ngx_http_ssl_module.c   2011-01-05 21:15:29.000000000 +0200<br>@@ -14,7 +14,7 @@ typedef ngx_int_t (*ngx_ssl_variable_han<br> <br> <br> #define NGX_DEFAULT_CIPHERS "HIGH:!ADH:!MD5"<br>
-<br>+#define NGX_DEFAULT_ECCURVE "prime256v1"<br> <br> static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,<br>    ngx_http_variable_value_t *v, uintptr_t data);<br>@@ -78,6 +78,13 @@ static ngx_command_t ngx_http_ssl_comma<br>
      offsetof(ngx_http_ssl_srv_conf_t, dhparam),<br>      NULL },<br> <br>+   { ngx_string("ssl_eccurve"),<br>+     NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,<br>+     ngx_conf_set_str_slot,<br>+     NGX_HTTP_SRV_CONF_OFFSET,<br>
+Â Â Â Â Â offsetof(ngx_http_ssl_srv_conf_t, eccurve),<br>+Â Â Â Â Â NULL },<br>+<br>Â Â Â Â { ngx_string("ssl_protocols"),<br>Â Â Â Â Â Â NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,<br>Â Â Â Â Â Â ngx_conf_set_bitmask_slot,<br>
@@ -312,6 +319,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t <br>Â Â Â Â Â *Â Â Â Â sscf->certificate = { 0, NULL };<br>Â Â Â Â Â *Â Â Â Â sscf->certificate_key = { 0, NULL };<br>Â Â Â Â Â *Â Â Â Â sscf->dhparam = { 0, NULL };<br>+Â Â Â Â *Â Â Â Â sscf->eccurve = { 0, NULL };<br>
     *    sscf->client_certificate = { 0, NULL };<br>     *    sscf->crl = { 0, NULL };<br>     *    sscf->ciphers = { 0, NULL };<br>@@ -360,6 +368,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *<br>                         "");<br>
    ngx_conf_merge_str_value(conf->crl, prev->crl, "");<br> <br>+   ngx_conf_merge_str_value(conf->eccurve, prev->eccurve, NGX_DEFAULT_ECCURVE);<br>+<br>    ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);<br>
 <br> <br>@@ -473,6 +483,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *<br>        return NGX_CONF_ERROR;<br>    }<br> <br>+   if (ngx_ssl_eccurve(cf, &conf->ssl, &conf->eccurve) != NGX_OK) {<br>+       return NGX_CONF_ERROR;<br>
+Â Â Â }<br>+<br>Â Â Â Â ngx_conf_merge_value(conf->builtin_session_cache,<br>Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);<br>Â <br>diff -rupN nginx-0.9.3/src/http/modules/ngx_http_ssl_module.h nginx-0.9.3p/src/http/modules/ngx_http_ssl_module.h<br>
--- nginx-0.9.3/src/http/modules/ngx_http_ssl_module.h   2011-01-05 20:38:37.000000000 +0200<br>+++ nginx-0.9.3p/src/http/modules/ngx_http_ssl_module.h   2011-01-05 20:34:16.000000000 +0200<br>@@ -32,6 +32,7 @@ typedef struct {<br>
    ngx_str_t                      certificate;<br>    ngx_str_t                      certificate_key;<br>    ngx_str_t                      dhparam;<br>+   ngx_str_t                      eccurve;<br>    ngx_str_t                      client_certificate;<br>
    ngx_str_t                      crl;<br> <br>diff -rupN nginx-0.9.3/src/mail/ngx_mail_ssl_module.c nginx-0.9.3p/src/mail/ngx_mail_ssl_module.c<br>--- nginx-0.9.3/src/mail/ngx_mail_ssl_module.c   2011-01-05 20:37:52.000000000 +0200<br>
+++ nginx-0.9.3p/src/mail/ngx_mail_ssl_module.c   2011-01-05 20:33:43.000000000 +0200<br>@@ -10,7 +10,7 @@<br> <br> <br> #define NGX_DEFAULT_CIPHERS "HIGH:!ADH:!MD5"<br>-<br>+#define NGX_DEFAULT_ECCURVE "prime256v1"<br>
 <br> static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);<br> static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);<br>@@ -77,6 +77,13 @@ static ngx_command_t ngx_mail_ssl_comma<br>      offsetof(ngx_mail_ssl_conf_t, dhparam),<br>
      NULL },<br> <br>+   { ngx_string("ssl_eccurve"),<br>+     NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,<br>+     ngx_conf_set_str_slot,<br>+     NGX_MAIL_SRV_CONF_OFFSET,<br>+     offsetof(ngx_mail_ssl_conf_t, eccurve),<br>
+Â Â Â Â Â NULL },<br>+<br>Â Â Â Â { ngx_string("ssl_protocols"),<br>Â Â Â Â Â Â NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_1MORE,<br>Â Â Â Â Â Â ngx_conf_set_bitmask_slot,<br>@@ -163,6 +170,7 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)<br>
     *    scf->certificate = { 0, NULL };<br>     *    scf->certificate_key = { 0, NULL };<br>     *    scf->dhparam = { 0, NULL };<br>+    *    scf->eccurve = { 0, NULL };<br>     *    scf->ciphers = { 0, NULL };<br>
     *    scf->shm_zone = NULL;<br>     */<br>@@ -204,6 +212,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, <br> <br>    ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");<br> <br>+   ngx_conf_merge_str_value(conf->eccurve, prev->eccurve, NGX_DEFAULT_ECCURVE);<br>
+<br>    ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);<br> <br> <br>diff -rupN nginx-0.9.3/src/mail/ngx_mail_ssl_module.h nginx-0.9.3p/src/mail/ngx_mail_ssl_module.h<br>--- nginx-0.9.3/src/mail/ngx_mail_ssl_module.h   2011-01-05 20:37:52.000000000 +0200<br>
+++ nginx-0.9.3p/src/mail/ngx_mail_ssl_module.h   2011-01-05 20:33:43.000000000 +0200<br>@@ -34,6 +34,7 @@ typedef struct {<br>    ngx_str_t       certificate;<br>    ngx_str_t       certificate_key;<br>    ngx_str_t       dhparam;<br>
+   ngx_str_t       eccurve;<br> <br>    ngx_str_t       ciphers;<br> <br><br>