net: enable automatic EC curve selection for OpenSSL 1.0.2

This setting is required for servers running OpenSSL < 1.1.0 to support EC-based secure ciphers that is now part of the default cipher list.
2026-01-06 13:07:48 +00:00 · 2020-06-04 00:01:13 -05:00
parent 9278e785bd
commit 6c0f86c486
2 changed files with 23 additions and 0 deletions
--- a/lib/pure/net.nim
+++ b/lib/pure/net.nim
@@ -580,6 +580,13 @@ when defineSsl:

    if newCTX.SSL_CTX_set_cipher_list(cipherList) != 1:
      raiseSSLError()
+    # Automatically the best ECDH curve for client exchange. Without this, ECDH
+    # ciphers will be ignored by the server.
+    #
+    # From OpenSSL >= 1.1.0, this setting is set by default and can't be
+    # overriden.
+    if newCTX.SSL_CTX_set_ecdh_auto(1) != 1:
+      raiseSSLError()

    when defined(nimDisableCertificateValidation) or defined(windows):
      newCTX.SSL_CTX_set_verify(SSL_VERIFY_NONE, nil)
--- a/lib/wrappers/openssl.nim
+++ b/lib/wrappers/openssl.nim
@@ -181,6 +181,7 @@ const
  SSL_CTRL_SET_TLSEXT_SERVERNAME_CB = 53
  SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG = 54
  SSL_CTRL_SET_TLSEXT_HOSTNAME = 55
+  SSL_CTRL_SET_ECDH_AUTO* = 94
  TLSEXT_NAMETYPE_host_name* = 0
  SSL_TLSEXT_ERR_OK* = 0
  SSL_TLSEXT_ERR_ALERT_WARNING* = 1
@@ -263,6 +264,12 @@ when compileOption("dynlibOverride", "ssl") or defined(noOpenSSLHacks):
    proc SSL_library_init*(): cint {.cdecl, dynlib: DLLSSLName, importc, discardable.}
    proc SSL_load_error_strings*() {.cdecl, dynlib: DLLSSLName, importc.}
    proc SSLv23_method*(): PSSL_METHOD {.cdecl, dynlib: DLLSSLName, importc.}
+
+    proc getOpenSSLVersion*(): culong =
+      ## This interface is not supported for OpenSSL < 1.1.0 and will
+      ## always return 0. The interface is provided to aid code
+      ## supporting multiple OpenSSL versions.
+      0
  else:
    proc OPENSSL_init_ssl*(opts: uint64, settings: uint8): cint {.cdecl, dynlib: DLLSSLName, importc, discardable.}
    proc SSL_library_init*(): cint {.discardable.} =
@@ -588,6 +595,15 @@ proc SSL_CTX_use_psk_identity_hint*(ctx: SslCtx; hint: cstring): cint {.cdecl, d
 proc SSL_get_psk_identity*(ssl: SslPtr): cstring {.cdecl, dynlib: DLLSSLName, importc.}
  ## Get PSK identity.

+proc SSL_CTX_set_ecdh_auto*(ctx: SslCtx, onoff: cint): cint {.inline.} =
+  ## Set automatic curve selection.
+  ##
+  ## On OpenSSL >= 1.1.0 this is on by default and cannot be disabled.
+  if getOpenSSLVersion() < 0x010100000:
+    result = cint SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, onoff, nil)
+  else:
+    result = 1
+
 proc bioNew*(b: PBIO_METHOD): BIO{.cdecl, dynlib: DLLUtilName, importc: "BIO_new".}
 proc bioFreeAll*(b: BIO){.cdecl, dynlib: DLLUtilName, importc: "BIO_free_all".}
 proc bioSMem*(): PBIO_METHOD{.cdecl, dynlib: DLLUtilName, importc: "BIO_s_mem".}