Modernize DHE and ECDHE support

Enable full strength DHE and ECDHE by default in order to allow modern
browsers to connect without weak crypto warnings.

Issue:		#119
Reported by:	@curioustwo

defaults.h

@@ -60,7 +60,7 @@
 /*
  * Default elliptic curve for EC cipher suites.
  */
-#define DFLT_CURVE "secp160r2"
+#define DFLT_CURVE "prime256v1"
 
 #endif /* !DEFAULTS_H */
 

main.c

@@ -151,7 +151,7 @@ main_usage(void)
 #define OPT_g 
 #endif /* !OPENSSL_NO_DH */
 #ifndef OPENSSL_NO_ECDH
-"  -G curve    use ECDH named curve (default: " DFLT_CURVE " for non-RSA leafkey)\n"
+"  -G curve    use ECDH named curve (default: " DFLT_CURVE ")\n"
 #define OPT_G "G:"
 #else /* OPENSSL_NO_ECDH */
 #define OPT_G 

pxyconn.c

@@ -714,7 +714,7 @@ pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain,
 #ifndef OPENSSL_NO_DH
 	if (ctx->opts->dh) {
 		SSL_CTX_set_tmp_dh(sslctx, ctx->opts->dh);
-	} else if (EVP_PKEY_type(key->type) != EVP_PKEY_RSA) {
+	} else {
 		SSL_CTX_set_tmp_dh_callback(sslctx, ssl_tmp_dh_callback);
 	}
 #endif /* !OPENSSL_NO_DH */
@@ -723,7 +723,7 @@ pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain,
 		EC_KEY *ecdh = ssl_ec_by_name(ctx->opts->ecdhcurve);
 		SSL_CTX_set_tmp_ecdh(sslctx, ecdh);
 		EC_KEY_free(ecdh);
-	} else if (EVP_PKEY_type(key->type) != EVP_PKEY_RSA) {
+	} else {
 		EC_KEY *ecdh = ssl_ec_by_name(NULL);
 		SSL_CTX_set_tmp_ecdh(sslctx, ecdh);
 		EC_KEY_free(ecdh);

sslsplit.1

@@ -140,24 +140,14 @@ Use Diffie-Hellman group parameters from \fIpemfile\fP for Ephemereal
 Diffie-Hellman (EDH/DHE) cipher suites.  If \fB-g\fP is not given, SSLsplit
 first tries to load DH parameters from the PEM files given by \fB-K\fP,
 \fB-k\fP or \fB-c\fP.  If no DH parameters are found in the key files, built-in
-512 or 1024 bit group parameters are automatically used iff a non-RSA private
-key is given with \fB-K\fP.
-This is because DSA/DSS private keys can by themselves only be used for signing
-and thus require DH to exchange an SSL/TLS session key.
-If \fB-g\fP is given, the parameters from the given \fIpemfile\fP will always
-be used, even with RSA private keys (within the cipher suites available in
-OpenSSL).
+group parameters are automatically used.
 The \fB-g\fP option is only available if SSLsplit was built against a version
 of OpenSSL which supports Diffie-Hellman cipher suites.
 .TP
 .B \-G \fIcurve\fP
-Use the named \fIcurve\fP for Ephemereal Elliptic Curve Diffie-Hellman (EECDH)
-cipher suites.  If \fB-G\fP is not given, a default curve (\fBsecp160r2\fP) is
-used automatically iff a non-RSA private key is given with \fB-K\fP.
-This is because ECDSA/ECDSS private keys can by themselves only be used for
-signing and thus require ECDH to exchange an SSL/TLS session key.
-If \fB-G\fP is given, the named \fIcurve\fP will always be used, even with RSA
-private keys (within the cipher suites available in OpenSSL).
+Use the named \fIcurve\fP for Ephemereal Elliptic Curve Diffie-Hellman (ECDHE)
+cipher suites.  If \fB-G\fP is not given, a default curve (\fBprime256v1\fP) is
+used automatically.
 The \fB-G\fP option is only available if SSLsplit was built against a version
 of OpenSSL which supports Elliptic Curve Diffie-Hellman cipher suites.
 .TP