Specify an ECDH group for ECDHE.
By default, OpenSSL cannot negotiate ECDHE cipher suites as a server because it
doesn't know what curve to use.
BUG=chromium:406458
TEST=Download Firefox nightly build from 2014-08-12.
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-08-12-mozilla-central-debug/
Point Firefox to https://apprtc.appspot.com
Point Chrome on Android to the URL Firefox redirects to (it'll say ?r=NUMBERS at the end)
After tapping through various permissions prompts on either side, the call goes through.
R=agl@chromium.org, henrike@webrtc.org, jiayl@webrtc.org, juberti@webrtc.org
Review URL: https://webrtc-codereview.appspot.com/18269004
git-svn-id: http://webrtc.googlecode.com/svn/trunk/webrtc@7002 4adac7df-926f-26a2-2b94-8c16560cd09d
diff --git a/base/opensslstreamadapter.cc b/base/opensslstreamadapter.cc
index 5eaeb1b..ed5ac74 100644
--- a/base/opensslstreamadapter.cc
+++ b/base/opensslstreamadapter.cc
@@ -615,6 +615,16 @@
SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+ // Specify an ECDH group for ECDHE ciphers, otherwise they cannot be
+ // negotiated when acting as the server. Use NIST's P-256 which is commonly
+ // supported.
+ EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ if (ecdh == NULL)
+ return -1;
+ SSL_set_options(ssl_, SSL_OP_SINGLE_ECDH_USE);
+ SSL_set_tmp_ecdh(ssl_, ecdh);
+ EC_KEY_free(ecdh);
+
// Do the connect
return ContinueSSL();
}
