State why ECDH is disabled with OpenSSL < 1.0.0e

12 years ago · a3b6d58df4
parent 38d22415af
commit a3b6d58df4
1 changed files with 5 additions and 0 deletions
--- a/ssl.h
+++ b/ssl.h
@ -38,6 +38,11 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>

+/*
+ * ECDH is disabled when building against OpenSSL < 1.0.0e due to issues with
+ * thread-safety and security in server mode ephemereal ECDH cipher suites.
+ * http://www.openssl.org/news/secadv_20110906.txt
+ */
 #if (OPENSSL_VERSION_NUMBER < 0x10000000L) && !defined(OPENSSL_NO_THREADID)
 #define OPENSSL_NO_THREADID
 #endif