diff options
| -rw-r--r-- | accel-pppd/accel-ppp.conf | 1 | ||||
| -rw-r--r-- | accel-pppd/accel-ppp.conf.5 | 3 | ||||
| -rw-r--r-- | accel-pppd/ctrl/sstp/sstp.c | 37 |
3 files changed, 41 insertions, 0 deletions
diff --git a/accel-pppd/accel-ppp.conf b/accel-pppd/accel-ppp.conf index 3d097f5..f28a3aa 100644 --- a/accel-pppd/accel-ppp.conf +++ b/accel-pppd/accel-ppp.conf @@ -113,6 +113,7 @@ verbose=1 #cert-hash-sha256= #accept=ssl,proxy #ssl-dhparam=/etc/ssl/dhparam.pem +#ssl-ecdh-curve=prime256v1 #ssl-ciphers=DEFAULT #ssl-prefer-server-ciphers=0 #ssl-ca-file=/etc/ssl/sstp-ca.crt diff --git a/accel-pppd/accel-ppp.conf.5 b/accel-pppd/accel-ppp.conf.5 index 7439de1..9ccac7d 100644 --- a/accel-pppd/accel-ppp.conf.5 +++ b/accel-pppd/accel-ppp.conf.5 @@ -684,6 +684,9 @@ Specifies incoming connection acceptance mode. .BI "ssl-dhparam=" pemfile Specifies a file with DH parameters for DHE ciphers. .TP +.BI "ssl-ecdh-curve=" string +Specifies a curves for ECDHE ciphers. Value is specified in the format understood by the OpenSSL library. +.TP .BI "ssl-ciphers=" string Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library. .TP diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index aadf746..e60d2cb 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -2371,6 +2371,9 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) #ifndef OPENSSL_NO_DH SSL_OP_SINGLE_DH_USE | #endif +#ifndef OPENSSL_NO_ECDH + SSL_OP_SINGLE_ECDH_USE | +#endif SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION); @@ -2400,6 +2403,40 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) } #endif +#ifndef OPENSSL_NO_ECDH + opt = conf_get_opt("sstp", "ssl-ecdh-curve"); + { +#if defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_CURVES_LIST) +#ifdef SSL_CTRL_SET_ECDH_AUTO + /* not needed in OpenSSL 1.1.0+ */ + SSL_CTX_set_ecdh_auto(ssl_ctx, 1); +#endif + if (opt && SSL_CTX_set1_curves_list(ssl_ctx, opt) == 0) { + log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + goto error; + } +#else + EC_KEY *ecdh; + int nid; + + nid = OBJ_sn2nid(opt ? : "prime256v1"); + if (nid == 0) { + log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + goto error; + } + + ecdh = EC_KEY_new_by_curve_name(nid); + if (ecdh == NULL) { + log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + goto error; + } + + SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh); + EC_KEY_free(ecdh); +#endif + } +#endif + opt = conf_get_opt("sstp", "ssl-ciphers"); if (opt && SSL_CTX_set_cipher_list(ssl_ctx, opt) != 1) { log_error("sstp: SSL cipher list error: %s\n", ERR_error_string(ERR_get_error(), NULL)); |