From 48c4db71c229444bc12a53550d7fd12f51131956 Mon Sep 17 00:00:00 2001 From: Alexander Traud Date: Tue, 13 Oct 2020 14:33:19 +0200 Subject: [PATCH] [core] Allow other (D)TLS Curves/Groups beside P-256 Five years ago, commit 8e1b2ea enabled ECDHE for the DTLS server by hard-coding P-256. Released before that, OpenSSL 1.0.2, allows auto selection of the curve (P-256, P-384, and P-512). OpenSSL 1.1.x has this enabled on default, which adds groups/curves like X25519 and X448 automatically. This change here allows DTLS clients with a demand for Security Level 4 (192 bit) and 5 (256 bit) connecting to the DTLS server. --- src/switch_rtp.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/switch_rtp.c b/src/switch_rtp.c index e2e6dedc2d..fbe49eb15a 100644 --- a/src/switch_rtp.c +++ b/src/switch_rtp.c @@ -3734,8 +3734,10 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_dtls(switch_rtp_t *rtp_session, d DH *dh; switch_status_t status = SWITCH_STATUS_SUCCESS; #ifndef OPENSSL_NO_EC +#if OPENSSL_VERSION_NUMBER < 0x10002000L EC_KEY* ecdh; #endif +#endif #ifndef HAVE_OPENSSL_DTLS_SRTP return SWITCH_STATUS_FALSE; @@ -3871,6 +3873,7 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_dtls(switch_rtp_t *rtp_session, d //SSL_set_verify(dtls->ssl, (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), cb_verify_peer); #ifndef OPENSSL_NO_EC +#if OPENSSL_VERSION_NUMBER < 0x10002000L ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (!ecdh) { switch_goto_status(SWITCH_STATUS_FALSE, done); @@ -3878,6 +3881,10 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_dtls(switch_rtp_t *rtp_session, d SSL_set_options(dtls->ssl, SSL_OP_SINGLE_ECDH_USE); SSL_set_tmp_ecdh(dtls->ssl, ecdh); EC_KEY_free(ecdh); +#elif OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_set_ecdh_auto(dtls->ssl, 1); + SSL_set_options(dtls->ssl, SSL_OP_SINGLE_ECDH_USE); +#endif #endif SSL_set_verify(dtls->ssl, SSL_VERIFY_NONE, NULL);