From 81fb015391c7ba9218b87caa148f46c888a49368 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sun, 13 Dec 2020 23:24:38 +0900 Subject: [PATCH] nghttpx: Choose ECDSA cert if compatible signature algorithm available --- src/shrpx_tls.cc | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/shrpx_tls.cc b/src/shrpx_tls.cc index c5625303ef..3294a54177 100644 --- a/src/shrpx_tls.cc +++ b/src/shrpx_tls.cc @@ -196,6 +196,31 @@ int servername_callback(SSL *ssl, int *al, void *arg) { #if !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE && \ OPENSSL_VERSION_NUMBER >= 0x10002000L + auto num_sigalgs = + SSL_get_sigalgs(ssl, 0, nullptr, nullptr, nullptr, nullptr, nullptr); + + for (idx = 0; idx < num_sigalgs; ++idx) { + int signhash; + + SSL_get_sigalgs(ssl, idx, nullptr, nullptr, &signhash, nullptr, nullptr); + switch (signhash) { + case NID_ecdsa_with_SHA256: + case NID_ecdsa_with_SHA384: + case NID_ecdsa_with_SHA512: + break; + default: + continue; + } + + break; + } + + if (idx == num_sigalgs) { + SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]); + + return SSL_TLSEXT_ERR_OK; + } + auto num_shared_curves = SSL_get_shared_curve(ssl, -1); for (auto i = 0; i < num_shared_curves; ++i) {