Enable built-in OpenSSL DH parameters to allow DHE TLS ciphers

Non-ECC DHE ciphers in the `cipher_list` attribute of `ApiListener` (the
default value includes these) had no effect as no DH parameters were available
and therefore the server wouldn't offer these ciphers. OpenSSL provides
built-in DH parameters starting from version 1.1.0, however, these have to be
enables explicitly using the `SSL_CTX_set_dh_auto()` function. This commit does
so and thereby makes it possible to establish a connection to an Icinga 2
server using a DHE cipher.
This commit is contained in:
Julian Brost 2023-06-29 12:06:26 +02:00
parent a2926b8604
commit a2e05f89e8
1 changed files with 8 additions and 0 deletions

View File

@ -104,6 +104,14 @@ static void InitSslContext(const Shared<boost::asio::ssl::context>::Ptr& context
# endif /* SSL_CTX_set_ecdh_auto */ # endif /* SSL_CTX_set_ecdh_auto */
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
// The built-in DH parameters have to be enabled explicitly to allow the use of ciphers that use a DHE key exchange.
// SSL_CTX_set_dh_auto is only documented in OpenSSL starting from version 3.0.0 but was already added in 1.1.0.
// https://github.com/openssl/openssl/commit/09599b52d4e295c380512ba39958a11994d63401
// https://github.com/openssl/openssl/commit/0437309fdf544492e272943e892523653df2f189
SSL_CTX_set_dh_auto(sslContext, 1);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
if (!pubkey.IsEmpty()) { if (!pubkey.IsEmpty()) {
if (!SSL_CTX_use_certificate_chain_file(sslContext, pubkey.CStr())) { if (!SSL_CTX_use_certificate_chain_file(sslContext, pubkey.CStr())) {
ERR_error_string_n(ERR_peek_error(), errbuf, sizeof errbuf); ERR_error_string_n(ERR_peek_error(), errbuf, sizeof errbuf);