> Yes I think it's better exactly for the reason you reported (inconsistent > naming over time). I'm having a hard time believing that Kx=DH has any > reason to change as often as the internal bitfields or cipher names given > that the output is even documented in the man page.
Well, I really hope you're right. This patch looks in the cipher's description instead of its name. Sorry about the mess. -- RĂ©mi Gacogne
From e26407eb5dc2ae918e243408a9e2c66b726dd17e Mon Sep 17 00:00:00 2001
From: Remi Gacogne <rgacogne[at]aquaray[dot]fr>
Date: Thu, 12 Jun 2014 18:20:11 +0200
Subject: [PATCH] Fix detection of ephemeral diffie-hellman key exchange by
using the cipher description.
In OpenSSL, the name of a cipher using ephemeral diffie-hellman for key
exchange can start with EDH, but also DHE, EXP-EDH or EXP1024-DHE.
We work around this issue by using the cipher's description instead of
the cipher's name.
Hopefully the description is less likely to change in the future.
---
src/ssl_sock.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bfbb5b8..8fb8b5f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1022,10 +1022,12 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
SSL_MODE_RELEASE_BUFFERS;
STACK_OF(SSL_CIPHER) * ciphers = NULL;
SSL_CIPHER * cipher = NULL;
- const char * cipher_name = NULL;
- /* The name of ciphers using an Ephemeral Diffie Hellman key exchange
- starts with "EDH". */
- const char edh_name[] = "EDH";
+ char cipher_description[128];
+ /* The description of ciphers using an Ephemeral Diffie Hellman key exchange
+ contains " Kx=DH " or " Kx=DH(". Beware of " Kx=DH/",
+ which is not ephemeral DH. */
+ const char dhe_description[] = " Kx=DH ";
+ const char dhe_export_description[] = " Kx=DH(";
int idx = 0;
int dhe_found = 0;
@@ -1124,10 +1126,12 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
if (ciphers) {
for (idx = 0; idx < sk_SSL_CIPHER_num(ciphers); idx++) {
cipher = sk_SSL_CIPHER_value(ciphers, idx);
- cipher_name = SSL_CIPHER_get_name(cipher);
- if (strncmp(cipher_name, edh_name, sizeof (edh_name)-1) == 0) {
- dhe_found = 1;
- break;
+ if (SSL_CIPHER_description(cipher, cipher_description, sizeof (cipher_description)) == cipher_description) {
+ if (strstr(cipher_description, dhe_description) != NULL ||
+ strstr(cipher_description, dhe_export_description) != NULL) {
+ dhe_found = 1;
+ break;
+ }
}
}
--
2.0.0
signature.asc
Description: OpenPGP digital signature
