Re: [PATCH] Add a configurable support of standardized DH parameters >= 1024 bits, disabled by default

Thu, 12 Jun 2014 07:55:20 -0700 

> That's really nice, I've just applied it with Emeric's approval.

Thanks Willy, but I just remembered that my patch walks directly into
what I spotted earlier, that in OpenSSL the name of ciphers using
ephemeral diffie-hellman for key exchange can start with EDH, but also
DHE, EXP-EDH or EXP1024-DHE.

Here is a patch to fix that, hopefully it will be the only issue
remaining :)


-- 
RĂ©mi Gacogne



From 04b9e1b7f199996c2783d30b04e04f3b0ac5198f Mon Sep 17 00:00:00 2001
From: Remi Gacogne <rgacogne[at]aquaray[dot]fr>
Date: Thu, 12 Jun 2014 16:47:46 +0200
Subject: [PATCH] Fix detection of ephemeral diffie-hellman key exchange.

In OpenSSL, the name of a cipher using ephemeral diffie-hellman for key
 exchange can start with EDH, but also DHE, EXP-EDH or EXP1024-DHE.
---
 src/ssl_sock.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bfbb5b8..466a4f5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1024,8 +1024,11 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 	SSL_CIPHER * cipher = NULL;
 	const char * cipher_name = NULL;
 	/* The name of ciphers using an Ephemeral Diffie Hellman key exchange
-	   starts with "EDH". */
+	   starts with "EDH", "DHE", "EXP-EDH" or "EXP1024-DHE". */
 	const char edh_name[] = "EDH";
+	const char dhe_name[] = "DHE";
+	const char export_edh_name[] = "EXP-EDH";
+	const char export1024_dhe_name[] = "EXP1024-DHE";
 	int idx = 0;
 	int dhe_found = 0;
 
@@ -1125,7 +1128,10 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 			for (idx = 0; idx < sk_SSL_CIPHER_num(ciphers); idx++) {
 				cipher = sk_SSL_CIPHER_value(ciphers, idx);
 				cipher_name = SSL_CIPHER_get_name(cipher);
-				if (strncmp(cipher_name, edh_name, sizeof (edh_name)-1) == 0) {
+				if (strncmp(cipher_name, edh_name, sizeof (edh_name)-1) == 0 ||
+				    strncmp(cipher_name, dhe_name, sizeof (dhe_name)-1) == 0 ||
+				    strncmp(cipher_name, export_edh_name, sizeof (export_edh_name)-1) == 0 ||
+				    strncmp(cipher_name, export1024_dhe_name, sizeof (export1024_dhe_name)-1) == 0) {
 					dhe_found = 1;
 					break;
 				}
-- 
2.0.0

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to