kenmirrors
/
freeswitch
mirror of https://github.com/signalwire/freeswitch.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[core] Allow other (D)TLS Curves/Groups beside P-256 

Five years ago, commit 8e1b2ea enabled ECDHE for the DTLS server by hard-coding P-256. Released before that, OpenSSL 1.0.2, allows auto selection of the curve (P-256, P-384, and P-512). OpenSSL 1.1.x has this enabled on default, which adds groups/curves like X25519 and X448 automatically. This change here allows DTLS clients with a demand for Security Level 4 (192 bit) and 5 (256 bit) connecting to the DTLS server.
This commit is contained in:
Alexander Traud 2020-10-13 14:33:19 +02:00 committed by Andrey Volk
parent 9c589b7750
commit 48c4db71c2
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/switch_rtp.c
View File

@ -3734,8 +3734,10 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_dtls(switch_rtp_t *rtp_session, d
DH *dh;
switch_status_t status = SWITCH_STATUS_SUCCESS;
#ifndef OPENSSL_NO_EC
#if OPENSSL_VERSION_NUMBER < 0x10002000L
EC_KEY* ecdh;
#endif
#endif
#ifndef HAVE_OPENSSL_DTLS_SRTP
return SWITCH_STATUS_FALSE;
@ -3871,6 +3873,7 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_dtls(switch_rtp_t *rtp_session, d
//SSL_set_verify(dtls->ssl, (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), cb_verify_peer);
#ifndef OPENSSL_NO_EC
#if OPENSSL_VERSION_NUMBER < 0x10002000L
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (!ecdh) {
switch_goto_status(SWITCH_STATUS_FALSE, done);
@ -3878,6 +3881,10 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_dtls(switch_rtp_t *rtp_session, d
SSL_set_options(dtls->ssl, SSL_OP_SINGLE_ECDH_USE);
SSL_set_tmp_ecdh(dtls->ssl, ecdh);
EC_KEY_free(ecdh);
#elif OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_set_ecdh_auto(dtls->ssl, 1);
SSL_set_options(dtls->ssl, SSL_OP_SINGLE_ECDH_USE);
#endif
#endif
SSL_set_verify(dtls->ssl, SSL_VERIFY_NONE, NULL);