From 9fec34968b7da9108c28e0157ad8abee210ba325 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 28 Jun 2014 15:35:10 +0900
Subject: [PATCH] nghttpd: Disable SSL_CTX_set_ecdh_auto for OpenSSL >= 1.0.2

---
 src/HttpServer.cc | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/HttpServer.cc b/src/HttpServer.cc
index 99cde300..8880166b 100644
--- a/src/HttpServer.cc
+++ b/src/HttpServer.cc
@@ -1674,9 +1674,12 @@ int HttpServer::run()
 
 #ifndef OPENSSL_NO_EC
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
-    SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
-#else // OPENSSL_VERSION_NUBMER < 0x10002000L
+  // Disabled SSL_CTX_set_ecdh_auto, because computational cost of
+  // chosen curve is much higher than P-256.
+
+// #if OPENSSL_VERSION_NUMBER >= 0x10002000L
+//     SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
+// #else // OPENSSL_VERSION_NUBMER < 0x10002000L
     // Use P-256, which is sufficiently secure at the time of this
     // writing.
     auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
@@ -1687,7 +1690,7 @@ int HttpServer::run()
     }
     SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
     EC_KEY_free(ecdh);
-#endif // OPENSSL_VERSION_NUBMER < 0x10002000L
+// #endif // OPENSSL_VERSION_NUBMER < 0x10002000L
 
 #endif // OPENSSL_NO_EC