mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 14:21:25 +02:00
Code Issues Projects Releases Wiki Activity

MEDIUM: ssl: fix detection of ephemeral diffie-hellman key exchange by using the cipher description.

Browse Source 
In OpenSSL, the name of a cipher using ephemeral diffie-hellman for key
 exchange can start with EDH, but also DHE, EXP-EDH or EXP1024-DHE.
We work around this issue by using the cipher's description instead of
the cipher's name.
Hopefully the description is less likely to change in the future.
This commit is contained in:
Remi Gacogne 2014-06-12 18:20:11 +02:00 committed by Willy Tarreau
parent f46cd6e4ec
commit c1eab8c96f
1 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/ssl_sock.c
View File

@ -1022,10 +1022,12 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
SSL_MODE_RELEASE_BUFFERS; SSL_MODE_RELEASE_BUFFERS;
STACK_OF(SSL_CIPHER) * ciphers = NULL; STACK_OF(SSL_CIPHER) * ciphers = NULL;
SSL_CIPHER * cipher = NULL; SSL_CIPHER * cipher = NULL;
const char * cipher_name = NULL; char cipher_description[128];
/* The name of ciphers using an Ephemeral Diffie Hellman key exchange /* The description of ciphers using an Ephemeral Diffie Hellman key exchange
starts with "EDH". */ contains " Kx=DH " or " Kx=DH(". Beware of " Kx=DH/",
const char edh_name[] = "EDH"; which is not ephemeral DH. */
const char dhe_description[] = " Kx=DH ";
const char dhe_export_description[] = " Kx=DH(";
int idx = 0; int idx = 0;
int dhe_found = 0; int dhe_found = 0;
@ -1124,12 +1126,14 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
if (ciphers) { if (ciphers) {
for (idx = 0; idx < sk_SSL_CIPHER_num(ciphers); idx++) { for (idx = 0; idx < sk_SSL_CIPHER_num(ciphers); idx++) {
cipher = sk_SSL_CIPHER_value(ciphers, idx); cipher = sk_SSL_CIPHER_value(ciphers, idx);
cipher_name = SSL_CIPHER_get_name(cipher); if (SSL_CIPHER_description(cipher, cipher_description, sizeof (cipher_description)) == cipher_description) {
if (strncmp(cipher_name, edh_name, sizeof (edh_name)-1) == 0) { if (strstr(cipher_description, dhe_description) != NULL ||
strstr(cipher_description, dhe_export_description) != NULL) {
dhe_found = 1; dhe_found = 1;
break; break;
} }
} }
}
if (dhe_found) { if (dhe_found) {
Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n"); Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n");