if (server)
{
- /* Set ECDHE in auto mode and fallback to some default otherwise.
- * Fix: in openssl 1.1.0 and later the SSL_CTX_set_ecdh_auto()
- * function was removed because it is always enabled. Do not
- * fallback to manual setting it to a single cipher!
- * The auto mode (or default mode in 1.1.0+) will ensure that the
- * highest available curve will be picked (thus: multiple choice).
- * We still allow forcing a single specific curve but only if
- * the user really wants it (or if it's a really old openssl).
- */
if (ssloptions->ecdh_curves)
{
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
goto fail;
#endif
} else {
+ /* Not specified by user. Set some good default */
#if defined(SSL_CTX_set_ecdh_auto)
SSL_CTX_set_ecdh_auto(ctx, 1);
#elif OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_CTX_set_tmp_ecdh(ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+#else
+ /* If we end up here we don't have SSL_CTX_set_ecdh_auto
+ * and we are on OpenSSL 1.1.0 or later. We don't need to
+ * do anything then, since auto ecdh is the default.
+ */
#endif
}
/* We really want the ECDHE/ECDHE to be generated per-session.