diff options
author | jiayl@webrtc.org <jiayl@webrtc.org> | 2014-08-28 16:14:38 +0000 |
---|---|---|
committer | jiayl@webrtc.org <jiayl@webrtc.org> | 2014-08-28 16:14:38 +0000 |
commit | 11c6bde4741917aa3ec1615192ad8899b5a9542e (patch) | |
tree | 2d78b6e0540bf0f374a27d7394ef36cedeb07914 /webrtc/base/opensslstreamadapter.cc | |
parent | 55e9da1772e34d48ae5fc4ec6b9e777085a33fd2 (diff) | |
download | webrtc-11c6bde4741917aa3ec1615192ad8899b5a9542e.tar.gz |
Specify an ECDH group for ECDHE.
By default, OpenSSL cannot negotiate ECDHE cipher suites as a server because it
doesn't know what curve to use.
BUG=chromium:406458
TEST=Download Firefox nightly build from 2014-08-12.
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-08-12-mozilla-central-debug/
Point Firefox to https://apprtc.appspot.com
Point Chrome on Android to the URL Firefox redirects to (it'll say ?r=NUMBERS at the end)
After tapping through various permissions prompts on either side, the call goes through.
R=agl@chromium.org, henrike@webrtc.org, jiayl@webrtc.org, juberti@webrtc.org
Review URL: https://webrtc-codereview.appspot.com/18269004
git-svn-id: http://webrtc.googlecode.com/svn/trunk@7002 4adac7df-926f-26a2-2b94-8c16560cd09d
Diffstat (limited to 'webrtc/base/opensslstreamadapter.cc')
-rw-r--r-- | webrtc/base/opensslstreamadapter.cc | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/webrtc/base/opensslstreamadapter.cc b/webrtc/base/opensslstreamadapter.cc index 5eaeb1b5f6..ed5ac74068 100644 --- a/webrtc/base/opensslstreamadapter.cc +++ b/webrtc/base/opensslstreamadapter.cc @@ -615,6 +615,16 @@ int OpenSSLStreamAdapter::BeginSSL() { SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + // Specify an ECDH group for ECDHE ciphers, otherwise they cannot be + // negotiated when acting as the server. Use NIST's P-256 which is commonly + // supported. + EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (ecdh == NULL) + return -1; + SSL_set_options(ssl_, SSL_OP_SINGLE_ECDH_USE); + SSL_set_tmp_ecdh(ssl_, ecdh); + EC_KEY_free(ecdh); + // Do the connect return ContinueSSL(); } |