From a2e05f89e8a2e50368af13fb4a9d1ad601355a02 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Thu, 29 Jun 2023 12:06:26 +0200 Subject: [PATCH] Enable built-in OpenSSL DH parameters to allow DHE TLS ciphers Non-ECC DHE ciphers in the `cipher_list` attribute of `ApiListener` (the default value includes these) had no effect as no DH parameters were available and therefore the server wouldn't offer these ciphers. OpenSSL provides built-in DH parameters starting from version 1.1.0, however, these have to be enables explicitly using the `SSL_CTX_set_dh_auto()` function. This commit does so and thereby makes it possible to establish a connection to an Icinga 2 server using a DHE cipher. --- lib/base/tlsutility.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp index 7e2193c89..dc2e7ba73 100644 --- a/lib/base/tlsutility.cpp +++ b/lib/base/tlsutility.cpp @@ -104,6 +104,14 @@ static void InitSslContext(const Shared::Ptr& context # endif /* SSL_CTX_set_ecdh_auto */ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + // The built-in DH parameters have to be enabled explicitly to allow the use of ciphers that use a DHE key exchange. + // SSL_CTX_set_dh_auto is only documented in OpenSSL starting from version 3.0.0 but was already added in 1.1.0. + // https://github.com/openssl/openssl/commit/09599b52d4e295c380512ba39958a11994d63401 + // https://github.com/openssl/openssl/commit/0437309fdf544492e272943e892523653df2f189 + SSL_CTX_set_dh_auto(sslContext, 1); +#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ + if (!pubkey.IsEmpty()) { if (!SSL_CTX_use_certificate_chain_file(sslContext, pubkey.CStr())) { ERR_error_string_n(ERR_peek_error(), errbuf, sizeof errbuf);