LibsslTLSContext: Disable SSLv3 and enable ECDHE cipher suites

src/LibsslTLSContext.cc

@@ -100,23 +100,33 @@ OpenSSLTLSContext::OpenSSLTLSContext(TLSSessionSide side)
                      ERR_error_string(ERR_get_error(), nullptr)));
     return;
   }
-  // Disable SSLv2 and enable all workarounds for buggy servers
+  // Disable SSLv2/3 and enable all workarounds for buggy servers
-  SSL_CTX_set_options(sslCtx_, SSL_OP_ALL | SSL_OP_NO_SSLv2
+  SSL_CTX_set_options(sslCtx_, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
+                      | SSL_OP_SINGLE_ECDH_USE
 #ifdef SSL_OP_NO_COMPRESSION
                       | SSL_OP_NO_COMPRESSION
 #endif // SSL_OP_NO_COMPRESSION
                       );
   SSL_CTX_set_mode(sslCtx_, SSL_MODE_AUTO_RETRY);
   SSL_CTX_set_mode(sslCtx_, SSL_MODE_ENABLE_PARTIAL_WRITE);
-  #ifdef SSL_MODE_RELEASE_BUFFERS
+#ifdef SSL_MODE_RELEASE_BUFFERS
   /* keep memory usage low */
   SSL_CTX_set_mode(sslCtx_, SSL_MODE_RELEASE_BUFFERS);
-  #endif
+#endif
   if(SSL_CTX_set_cipher_list(sslCtx_, "HIGH:!aNULL:!eNULL") == 0) {
     good_ = false;
     A2_LOG_ERROR(fmt("SSL_CTX_set_cipher_list() failed. Cause: %s",
                      ERR_error_string(ERR_get_error(), nullptr)));
   }
+
+  auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+  if(ecdh == nullptr) {
+    A2_LOG_WARN(fmt("Failed to enable ECDHE cipher suites. Cause: %s",
+                    ERR_error_string(ERR_get_error(), nullptr)));
+  } else {
+    SSL_CTX_set_tmp_ecdh(sslCtx_, ecdh);
+    EC_KEY_free(ecdh);
+  }
 }
 
 OpenSSLTLSContext::~OpenSSLTLSContext()