bip/bip
bip/bip
3
0
Fork 1
Code Issues Pull Requests 2 Releases Activity

DH parameters are not always required

Browse Source 
for example ECDHE ciphers doesn't require DH parameters.

Closes #499
This commit is contained in:
Pierre-Louis Bonicoli 2018-03-21 11:12:21 +01:00
parent 385be75f7e
commit 13b2e37635
Signed by: pilou
GPG Key ID: ADC2651DDACD3538
2 changed files with 23 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/bip.c
View File

@ -1332,11 +1332,9 @@ int main(int argc, char **argv)
"readable / writable. Please fix the modes.", "readable / writable. Please fix the modes.",
conf_ssl_certfile); conf_ssl_certfile);
if (!conf_client_dh_file) { if (conf_client_dh_file) {
conf_client_dh_file = default_path(conf_biphome, "dh.pem", assert_path_exists(conf_client_dh_file);
"DH parameters");
} }
assert_path_exists(conf_client_dh_file);
} }
#endif #endif

27
src/connection.c
View File

@ -15,6 +15,7 @@
#include <sys/time.h> #include <sys/time.h>
#include <time.h> #include <time.h>
#include "connection.h" #include "connection.h"
#include "path_util.h"
extern int errno; extern int errno;
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
@ -24,6 +25,7 @@ static int ssl_cx_idx;
extern FILE *conf_global_log_file; extern FILE *conf_global_log_file;
static BIO *errbio = NULL; static BIO *errbio = NULL;
extern char *conf_ssl_certfile; extern char *conf_ssl_certfile;
extern char *conf_biphome;
extern char *conf_client_ciphers; extern char *conf_client_ciphers;
extern char *conf_client_dh_file; extern char *conf_client_dh_file;
static int SSLize(connection_t *cn, int *nc); static int SSLize(connection_t *cn, int *nc);
@ -1136,7 +1138,6 @@ static int ctx_set_dh(SSL_CTX *ctx)
FILE *f; FILE *f;
int ret; int ret;
/* Should not fail: already checked in main function */
if ((f = fopen(conf_client_dh_file, "r")) == NULL) { if ((f = fopen(conf_client_dh_file, "r")) == NULL) {
mylog(LOG_ERROR, "Unable to open DH parameters (%s): %s", mylog(LOG_ERROR, "Unable to open DH parameters (%s): %s",
conf_client_dh_file, strerror(errno)); conf_client_dh_file, strerror(errno));
@ -1209,11 +1210,25 @@ connection_t *accept_new(connection_t *cn)
return NULL; return NULL;
} }
if (!ctx_set_dh(sslctx)) { if (!conf_client_dh_file) {
mylog(LOG_ERROR, "SSL Unable to load DH " // try with a default path but don't fail if it doesn't exist
"parameters"); conf_client_dh_file = default_path(conf_biphome, "dh.pem",
connection_free(conn); "DH parameters");
return NULL;
struct stat st_buf;
if (stat(conf_client_dh_file, &st_buf) != 0) {
free(conf_client_dh_file);
conf_client_dh_file = NULL;
}
}
if (conf_client_dh_file) {
if (!ctx_set_dh(sslctx)) {
mylog(LOG_ERROR, "SSL Unable to load DH "
"parameters");
connection_free(conn);
return NULL;
}
} }
if (!SSL_CTX_use_certificate_chain_file(sslctx, if (!SSL_CTX_use_certificate_chain_file(sslctx,