From e332cd9a3a6ac1b1a2889ed4a3bda9dca8ae0861 Mon Sep 17 00:00:00 2001
From: Masaori Koshiba <masaori@apache.org>
Date: Tue, 31 Jul 2018 14:13:44 +0900
Subject: [PATCH] Enable ECDH explicitly only if OpenSSL version is v1.0.2 or
 lower

SSL_CTX_set_ecdh_auto() has been removed and ECDH is enabled in default
since OpenSSL v1.1.0.
---
 iocore/net/SSLUtils.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 93d7fb3d448..71b71a3d03c 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -587,9 +587,13 @@ ssl_context_enable_dhe(const char *dhparams_file, SSL_CTX *ctx)
   return ctx;
 }
 
+// SSL_CTX_set_ecdh_auto() is removed by OpenSSL v1.1.0 and ECDH is enabled in default.
+// TODO: remove this function when we drop support of OpenSSL v1.0.2* and lower.
 static SSL_CTX *
 ssl_context_enable_ecdh(SSL_CTX *ctx)
 {
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+
 #if TS_USE_TLS_ECKEY
 
 #if defined(SSL_CTRL_SET_ECDH_AUTO)
@@ -602,6 +606,7 @@ ssl_context_enable_ecdh(SSL_CTX *ctx)
     EC_KEY_free(ecdh);
   }
 #endif
+#endif
 #endif
 
   return ctx;