Improve comments in source code to better explain what's going on.

..and so nobody makes the same mistake.

diff --git a/src/ssl.c b/src/ssl.c
index 8be0874398d4fcf91692c628e02a48bf6e22705b..0b83d9b0b1739d5ae3584b2cd70eb215363e7e2f 100644 (file)
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -384,15 +384,6 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
 
        if (server)
        {
-               /* Set ECDHE in auto mode and fallback to some default otherwise.
-                * Fix: in openssl 1.1.0 and later the SSL_CTX_set_ecdh_auto()
-                * function was removed because it is always enabled. Do not
-                * fallback to manual setting it to a single cipher!
-                * The auto mode (or default mode in 1.1.0+) will ensure that the
-                * highest available curve will be picked (thus: multiple choice).
-                * We still allow forcing a single specific curve but only if
-                * the user really wants it (or if it's a really old openssl).
-                */
                if (ssloptions->ecdh_curves)
                {
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
@@ -417,10 +408,16 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
                        goto fail;
 #endif
                } else {
+                       /* Not specified by user. Set some good default */
 #if defined(SSL_CTX_set_ecdh_auto)
                        SSL_CTX_set_ecdh_auto(ctx, 1);
 #elif OPENSSL_VERSION_NUMBER < 0x10100000L
                        SSL_CTX_set_tmp_ecdh(ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+#else
+                       /* If we end up here we don't have SSL_CTX_set_ecdh_auto
+                        * and we are on OpenSSL 1.1.0 or later. We don't need to
+                        * do anything then, since auto ecdh is the default.
+                        */
 #endif
                }
                /* We really want the ECDHE/ECDHE to be generated per-session.