ASF Bugzilla – Attachment 30804 Details for
Bug 49559
Patch to add user-specified Diffie-Hellman parameters
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
PoC: read (EC)DHE parameters from SSLCertificateFile (applies to trunk and 2.4.x)
PR49559_PoC.diff (text/plain), 3.23 KB, created by
Kaspar Brand
on 2013-09-08 08:10:11 UTC
(
hide
)
Description:
PoC: read (EC)DHE parameters from SSLCertificateFile (applies to trunk and 2.4.x)
Filename:
MIME Type:
Creator:
Kaspar Brand
Created:
2013-09-08 08:10:11 UTC
Size:
3.23 KB
patch
obsolete
>Index: modules/ssl/ssl_private.h >=================================================================== >--- modules/ssl/ssl_private.h (revision 1520841) >+++ modules/ssl/ssl_private.h (working copy) >@@ -930,8 +930,12 @@ > > /** Diffie-Hellman Parameter Support */ > DH *ssl_dh_GetTmpParam(int); >-DH *ssl_dh_GetParamFromFile(char *); >+DH *ssl_dh_GetParamFromFile(const char *); > >+#ifndef OPENSSL_NO_EC >+EC_GROUP *ssl_ec_GetParamFromFile(const char *); >+#endif >+ > unsigned char *ssl_asn1_table_set(apr_hash_t *table, > const char *key, > long int length); >Index: modules/ssl/ssl_engine_dh.c >=================================================================== >--- modules/ssl/ssl_engine_dh.c (revision 1520841) >+++ modules/ssl/ssl_engine_dh.c (working copy) >@@ -135,7 +135,7 @@ > return dh; > } > >-DH *ssl_dh_GetParamFromFile(char *file) >+DH *ssl_dh_GetParamFromFile(const char *file) > { > DH *dh = NULL; > BIO *bio; >Index: modules/ssl/ssl_engine_init.c >=================================================================== >--- modules/ssl/ssl_engine_init.c (revision 1520841) >+++ modules/ssl/ssl_engine_init.c (working copy) >@@ -192,6 +192,18 @@ > #define MODSSL_TMP_KEY_INIT_EC(s, bits) \ > ssl_tmp_key_init_ec(s, bits, SSL_TMP_KEY_EC_##bits) > >+EC_GROUP *ssl_ec_GetParamFromFile(const char *file) >+{ >+ EC_GROUP *ecg = NULL; >+ BIO *bio; >+ >+ if ((bio = BIO_new_file(file, "r")) == NULL) >+ return NULL; >+ ecg = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); >+ BIO_free(bio); >+ return (ecg); >+} >+ > #endif > > #define MODSSL_TMP_KEY_INIT_RSA(s, bits) \ >@@ -1184,10 +1196,14 @@ > const char *rsa_id, *dsa_id; > #ifndef OPENSSL_NO_EC > const char *ecc_id; >+ EC_GROUP *ecparams; >+ EC_KEY *eckey; >+ int nid; > #endif > const char *vhost_id = mctx->sc->vhost_id; > int i; > int have_rsa, have_dsa; >+ DH *dhparams; > #ifndef OPENSSL_NO_EC > int have_ecc; > #endif >@@ -1234,6 +1250,33 @@ > "Oops, no " KEYTYPES " server private key found?!"); > ssl_die(s); > } >+ >+ /* >+ * Try to read DHE parameters from the (first) SSLCertificateFile >+ */ >+ if ((mctx->pks->cert_files[0] != NULL) && >+ (dhparams = ssl_dh_GetParamFromFile(mctx->pks->cert_files[0]))) { >+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); >+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO() >+ "DHE parameters (%d bits) for %s configured from %s", >+ BN_num_bits(dhparams->p), vhost_id, >+ mctx->pks->cert_files[0]); >+ } >+ >+#ifndef OPENSSL_NO_EC >+ /* >+ * Similarly, try to read the ECDHE curve name from SSLCertificateFile >+ */ >+ if ((mctx->pks->cert_files[0] != NULL) && >+ (ecparams = ssl_ec_GetParamFromFile(mctx->pks->cert_files[0])) && >+ (nid = EC_GROUP_get_curve_name(ecparams)) && >+ (eckey = EC_KEY_new_by_curve_name(nid))) { >+ SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey); >+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO() >+ "ECDHE curve (%s) for %s configured from %s", >+ OBJ_nid2sn(nid), vhost_id, mctx->pks->cert_files[0]); >+ } >+#endif > } > > #ifdef HAVE_TLS_SESSION_TICKETS
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 49559
:
25714
|
28699
|
30804