iauto ecdh curve parameters; docs.

ChangeLog

@@ -2,6 +2,7 @@
 Version 4.3.2.1 'Tolomei':
 	- STUN/TURN ALPN supported (when compiled with OpenSSL 1.0.2+ );
 	- DTLS v1.2 supported (when compiled with OpenSSL 1.0.2+ );
+	- Auto optimal ECDH parameters (when compiled with OpenSSL 1.0.2+ );
 	- TLS/DTLS code cleaning.
 
 11/29/2014 Oleg Moskalenko <[email protected]>

README.turnserver

@@ -444,8 +444,11 @@ Options with required values:
 			Forces TURN server to verify the client SSL certificates.
 			By default, no CA is set and no client certificate check is performed.
 
---ec-curve-name		Curve name for EC ciphers, if supported by OpenSSL library (TLS and DTLS).
-			The default value is prime256v1.
+--ec-curve-name		Curve name for EC ciphers, if supported by OpenSSL 
+			library (TLS and DTLS). The default value is prime256v1, 
+			if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
+			an optimal curve will be automatically calculated, if not defined
+			by this option.
 
 --dh-file		Use custom DH TLS key, stored in PEM format in the file.
 			Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.

examples/etc/turnserver.conf

@@ -418,8 +418,11 @@
 # Example:
 #CA-file=/etc/ssh/id_rsa.cert
 
-# Curve name for EC ciphers, if supported by OpenSSL library (TLS and DTLS).
-# The default value is prime256v1.
+# Curve name for EC ciphers, if supported by OpenSSL 
+# library (TLS and DTLS). The default value is prime256v1, 
+# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
+# an optimal curve will be automatically calculated, if not defined
+# by this option.
 #
 #ec-curve-name=prime256v1
 

man/man1/turnadmin.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "10 December 2014" "" ""
+.TH TURN 1 "13 December 2014" "" ""
 .SH GENERAL INFORMATION
 
 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 

man/man1/turnserver.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "10 December 2014" "" ""
+.TH TURN 1 "13 December 2014" "" ""
 .SH GENERAL INFORMATION
 
 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 
@@ -649,8 +649,11 @@ By default, no CA is set and no client certificate check is performed.
 .TP
 .B
 \fB\-\-ec\-curve\-name\fP
-Curve name for EC ciphers, if supported by OpenSSL library (TLS and DTLS).
-The default value is prime256v1.
+Curve name for EC ciphers, if supported by OpenSSL 
+library (TLS and DTLS). The default value is prime256v1, 
+if pre\-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
+an optimal curve will be automatically calculated, if not defined
+by this option.
 .TP
 .B
 \fB\-\-dh\-file\fP

man/man1/turnutils.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "10 December 2014" "" ""
+.TH TURN 1 "13 December 2014" "" ""
 .SH GENERAL INFORMATION
 
 A set of turnutils_* programs provides some utility functionality to be used

src/apps/common/apputils.h

@@ -110,6 +110,12 @@ extern int IS_TURN_SERVER;
 
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_FIRST_ALPN_VERSION
+#define SSL_SESSION_ECDH_AUTO_SUPPORTED 1
+#else
+#define SSL_SESSION_ECDH_AUTO_SUPPORTED 0
+#endif
+
 /////////// SSL //////////////////////////
 
 enum _TURN_TLS_TYPE {

src/apps/relay/mainrelay.c

@@ -509,8 +509,11 @@ static char Usage[] = "Usage: turnserver [options]\n"
 " --CA-file		<filename>		CA file in OpenSSL format.\n"
 "						Forces TURN server to verify the client SSL certificates.\n"
 "						By default, no CA is set and no client certificate check is performed.\n"
-" --ec-curve-name	<curve-name>		Curve name for EC ciphers, if supported by OpenSSL library\n"
-"						(TLS and DTLS). The default value is prime256v1.\n"
+" --ec-curve-name	<curve-name>		Curve name for EC ciphers, if supported by OpenSSL\n"
+"						library (TLS and DTLS). The default value is prime256v1,\n"
+"						if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,\n"
+"						an optimal curve will be automatically calculated, if not defined\n"
+"						by this option.\n"
 " --dh566					Use 566 bits predefined DH TLS key. Default size of the predefined key is 1066.\n"
 " --dh2066					Use 2066 bits predefined DH TLS key. Default size of the predefined key is 1066.\n"
 " --dh-file	<dh-file-name>			Use custom DH TLS key, stored in PEM format in the file.\n"
@@ -2435,23 +2438,35 @@ static void set_ctx(SSL_CTX* ctx, const char *protocol)
 #if !defined(OPENSSL_NO_EC) && defined(OPENSSL_EC_NAMED_CURVE)
 	{ //Elliptic curve algorithms:
 		int nid = NID_X9_62_prime256v1;
+		int set_tmp_curve = !SSL_SESSION_ECDH_AUTO_SUPPORTED;
 
 		if (turn_params.ec_curve_name[0]) {
 			nid = OBJ_sn2nid(turn_params.ec_curve_name);
 			if (nid == 0) {
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,"unknown curve name (%s), using NID_X9_62_prime256v1\n",turn_params.ec_curve_name);
 				nid = NID_X9_62_prime256v1;
+			} else {
+				set_tmp_curve = 1;
 			}
 		}
 
-		EC_KEY *ecdh = EC_KEY_new_by_curve_name(nid);
-		if (!ecdh) {
-			TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
+		if(set_tmp_curve) {
+			EC_KEY *ecdh = EC_KEY_new_by_curve_name(nid);
+			if (!ecdh) {
+				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
 				      "%s: ERROR: allocate EC suite\n",__FUNCTION__);
-		} else {
-			SSL_CTX_set_tmp_ecdh(ctx, ecdh);
-			EC_KEY_free(ecdh);
+				set_tmp_curve = 0;
+			} else {
+				SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+				EC_KEY_free(ecdh);
+			}
 		}
+
+#if SSL_SESSION_ECDH_AUTO_SUPPORTED
+		if(!set_tmp_curve) {
+			SSL_CTX_set_ecdh_auto(ctx,1);
+		}
+#endif
 	}
 #endif