On 19.04.2014 09:00, Falco Schwarz wrote:
> that OpenSSL actually returns the private key used by the connection.
I just noticed [1], so you might want to try the attached (but untested)
patch with 1.0.2-beta1 at least (beware of CVE-2014-0160 though, later
versions preferred).
Kaspar
[1]
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=58b86e4235cd420f607819727d372af9f7a80224
Index: modules/ssl/ssl_engine_kernel.c
===================================================================
--- modules/ssl/ssl_engine_kernel.c (revision 1588426)
+++ modules/ssl/ssl_engine_kernel.c (working copy)
@@ -1344,9 +1344,15 @@ make_get_dh(rfc3526, 4096, 2)
DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
- EVP_PKEY *pkey = SSL_get_privatekey(ssl);
- int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
+ EVP_PKEY *pkey;
+ int type;
+#ifdef SSL_CERT_SET_SERVER
+ SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
+#endif
+ pkey = SSL_get_privatekey(ssl);
+ type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
+
/*
* OpenSSL will call us with either keylen == 512 or keylen == 1024
* (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h).
