Set OPENSSL_EC_NAMED_CURVE explicitly on EC key so that certificate has ASN1 OID and NIST curve inf…

webrtc/base/opensslidentity.cc

Index: webrtc/base/opensslidentity.cc
diff --git a/webrtc/base/opensslidentity.cc b/webrtc/base/opensslidentity.cc
index 58a0cd8adeb2b2f48b7851cc02493c7918108fca..8cec58fb2d6178768785825e0400f4b264af228f 100644
--- a/webrtc/base/opensslidentity.cc
+++ b/webrtc/base/opensslidentity.cc
@@ -61,6 +61,11 @@ static EVP_PKEY* MakeKey(const KeyParams& key_params) {
   } else if (key_params.type() == KT_ECDSA) {
     if (key_params.ec_curve() == EC_NIST_P256) {
       EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+      // Set OPENSSL_EC_NAMED_CURVE explicitly so that the
+      // certificate has the ASN1 OID and NIST CURVE info.
+      // Without this openSSL handshake negotiation fails
+      // throwing SSL_R_NO_SHARED_CIPHER
+      EC_KEY_set_asn1_flag(ec_key, OPENSSL_EC_NAMED_CURVE);

[mattdr-at-webrtc.org, 2016/11/29 23:52:11]

Let's change this comment to offer a bit more context:

Ensure the curve name is included when this key is serialized. Without this
call, OpenSSL versions before 1.1.0 will create certificates that don't work for
TLS. This is a no-op for BoringSSL and OpenSSL 1.1.0+.

       if (!pkey || !ec_key || !EC_KEY_generate_key(ec_key) ||
           !EVP_PKEY_assign_EC_KEY(pkey, ec_key)) {
         EVP_PKEY_free(pkey);