tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-06 21:34:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9811 from Icinga/allow-dhe-tls-ciphers

Browse Source 
Enable built-in OpenSSL DH parameters to allow DHE TLS ciphers
This commit is contained in:
Julian Brost 2023-06-30 10:41:32 +02:00 committed by GitHub
commit fdaa96ece1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/base/tlsutility.cpp
View File

@ -104,6 +104,14 @@ static void InitSslContext(const Shared<boost::asio::ssl::context>::Ptr& context
# endif /* SSL_CTX_set_ecdh_auto */ # endif /* SSL_CTX_set_ecdh_auto */
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
// The built-in DH parameters have to be enabled explicitly to allow the use of ciphers that use a DHE key exchange.
// SSL_CTX_set_dh_auto is only documented in OpenSSL starting from version 3.0.0 but was already added in 1.1.0.
// https://github.com/openssl/openssl/commit/09599b52d4e295c380512ba39958a11994d63401
// https://github.com/openssl/openssl/commit/0437309fdf544492e272943e892523653df2f189
SSL_CTX_set_dh_auto(sslContext, 1);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
if (!pubkey.IsEmpty()) { if (!pubkey.IsEmpty()) {
if (!SSL_CTX_use_certificate_chain_file(sslContext, pubkey.CStr())) { if (!SSL_CTX_use_certificate_chain_file(sslContext, pubkey.CStr())) {
ERR_error_string_n(ERR_peek_error(), errbuf, sizeof errbuf); ERR_error_string_n(ERR_peek_error(), errbuf, sizeof errbuf);