Merge pull request #1542 from nghttp2/nghttpx-check-sigalg

nghttpx: Choose ECDSA cert if compatible signature algorithm available
This commit is contained in:
Tatsuhiro Tsujikawa 2020-12-14 23:00:52 +09:00 committed by GitHub
commit 8b8ba6b0a6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 0 deletions

View File

@ -196,6 +196,31 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
#if !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE && \ #if !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE && \
OPENSSL_VERSION_NUMBER >= 0x10002000L OPENSSL_VERSION_NUMBER >= 0x10002000L
auto num_sigalgs =
SSL_get_sigalgs(ssl, 0, nullptr, nullptr, nullptr, nullptr, nullptr);
for (idx = 0; idx < num_sigalgs; ++idx) {
int signhash;
SSL_get_sigalgs(ssl, idx, nullptr, nullptr, &signhash, nullptr, nullptr);
switch (signhash) {
case NID_ecdsa_with_SHA256:
case NID_ecdsa_with_SHA384:
case NID_ecdsa_with_SHA512:
break;
default:
continue;
}
break;
}
if (idx == num_sigalgs) {
SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
return SSL_TLSEXT_ERR_OK;
}
auto num_shared_curves = SSL_get_shared_curve(ssl, -1); auto num_shared_curves = SSL_get_shared_curve(ssl, -1);
for (auto i = 0; i < num_shared_curves; ++i) { for (auto i = 0; i < num_shared_curves; ++i) {