apache · markt-asf · Jan 8, 2026 · Jan 9, 2026
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
@@ -49,6 +49,7 @@
 #ifndef LIBRESSL_VERSION_NUMBER
 #include <openssl/provider.h>
 #endif
+#include <openssl/core_names.h>
 
 #ifndef RAND_MAX
 #include <limits.h>
@@ -378,7 +379,7 @@ void        SSL_BIO_doref(BIO *);
 DH         *SSL_get_dh_params(unsigned keylen);
 EVP_PKEY   *SSL_dh_GetParamFromFile(const char *);
 #ifdef HAVE_ECC
-EC_GROUP   *SSL_ec_GetParamFromFile(const char *);
+int         SSL_ec_GetParamFromFile(const char *);
 #endif
 DH         *SSL_callback_tmp_DH(SSL *, int, int);
 void        SSL_callback_handshake(const SSL *, int, int);

diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
@@ -946,9 +946,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx,
     const char *p;
     char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
 #ifdef HAVE_ECC
-    EC_GROUP *ecparams = NULL;
     int nid;
-    EC_KEY *eckey = NULL;
 #endif
     EVP_PKEY *evp;
 
@@ -1036,14 +1034,10 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx,
      */
     /* XXX Does this also work for pkcs12 or only for PEM files?
      * If only for PEM files move above to the PEM handling */
-    if ((ecparams = SSL_ec_GetParamFromFile(cert_file)) &&
-        (nid = EC_GROUP_get_curve_name(ecparams)) &&
-        (eckey = EC_KEY_new_by_curve_name(nid))) {
-        SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
-    }
-    /* OpenSSL assures us that _free() is NULL-safe */
-    EC_KEY_free(eckey);
-    EC_GROUP_free(ecparams);
+    nid = SSL_ec_GetParamFromFile(cert_file);
+    if (nid != NID_undef) {
+        SSL_CTX_set1_groups(c->ctx, &nid, 1);
+    }
 #endif
     SSL_CTX_set_dh_auto(c->ctx, 1);
 

diff --git a/native/src/sslutils.c b/native/src/sslutils.c
@@ -198,16 +198,41 @@ EVP_PKEY *SSL_dh_GetParamFromFile(const char *file)
 }
 
 #ifdef HAVE_ECC
-EC_GROUP *SSL_ec_GetParamFromFile(const char *file)
+int SSL_ec_GetParamFromFile(const char *file)
 {
-    EC_GROUP *group = NULL;
+    EVP_PKEY *evp = NULL;
     BIO *bio;
+    char curve_name[80];
 
     if ((bio = BIO_new_file(file, "r")) == NULL)
-        return NULL;
-    group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
+        return NID_undef;
+    evp = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL);
     BIO_free(bio);
-    return (group);
+    if (!EVP_PKEY_is_a(evp, "EC")) {
+        EVP_PKEY_free(evp);
+        return NID_undef;
+    }
+
+    OSSL_PARAM param[] = {
+        OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, curve_name, sizeof(curve_name)),
+        OSSL_PARAM_construct_end()
+    };
+
+    /* Query the curve name from the EVP_PKEY params object */
+    if (EVP_PKEY_get_params(evp, param) <= 0) {
+        EVP_PKEY_free(evp);
+        return NID_undef; /* Failed to retrieve the curve name */
+    }
+
+    /* Convert the curve name to the NID */
+    int nid = OBJ_sn2nid(curve_name);
+    if (nid == NID_undef) {
+        /* If the short name didn't resolve, try the long name */
+        nid = OBJ_ln2nid(curve_name);
+    }
+
+    EVP_PKEY_free(evp);
+    return nid; /* Returns the curve's NID, or NID_undef on failure */
 }
 #endif
 

diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml
@@ -37,6 +37,10 @@
       Remove group write permissions from the files in the tar.gz source
       archive. (markt)
     </fix>
+    <fix>
+      Refactor extraction of ECDH curve name from the Certificate to avoid
+      deprecated OpenSSL methods. (markt)
+    </fix>
   </changelog>
 </section>
 <section name="Changes in 2.0.12">