From: Emeric Brun Date: Wed, 6 Mar 2013 13:08:53 +0000 (+0100) Subject: BUG/MEDIUM: ssl: ECDHE ciphers not usable without named curve configured. X-Git-Tag: v1.5-dev18~76 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6924ef8b12ad6f935bb5287ff4b2ae17bdbbf928;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl: ECDHE ciphers not usable without named curve configured. Fix consists to use prime256v1 as default named curve to init ECDHE ciphers if none configured. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 398ce872fe..195f330ec4 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -7079,8 +7079,8 @@ backlog ecdhe This setting is only available when support for OpenSSL was built in. It sets - the named curve (RFC 4492) used to generate ECDH ephemeral keys and makes - ECDHE cipher suites usable. + the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default, + used named curve is prime256v1. ca-file This setting is only available when support for OpenSSL was built in. It diff --git a/include/common/defaults.h b/include/common/defaults.h index 9b54276b25..a247faf741 100644 --- a/include/common/defaults.h +++ b/include/common/defaults.h @@ -191,6 +191,11 @@ #define LISTEN_DEFAULT_CIPHERS NULL #endif +/* named curve used as defaults for ECDHE ciphers */ +#ifndef ECDHE_DEFAULT_CURVE +#define ECDHE_DEFAULT_CURVE "prime256v1" +#endif + /* ssl cache size */ #ifndef SSLCACHESIZE #define SSLCACHESIZE 20000 diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 7fb5aa0182..580ff5a0b4 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -625,14 +625,15 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy SSL_CTX_set_tlsext_servername_arg(ctx, bind_conf); #endif #if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH) - if (bind_conf->ecdhe) { + { int i; EC_KEY *ecdh; - i = OBJ_sn2nid(bind_conf->ecdhe); + i = OBJ_sn2nid(bind_conf->ecdhe ? bind_conf->ecdhe : ECDHE_DEFAULT_CURVE); if (!i || ((ecdh = EC_KEY_new_by_curve_name(i)) == NULL)) { Alert("Proxy '%s': unable to set elliptic named curve to '%s' for bind '%s' at [%s:%d].\n", - curproxy->id, bind_conf->ecdhe, bind_conf->arg, bind_conf->file, bind_conf->line); + curproxy->id, bind_conf->ecdhe ? bind_conf->ecdhe : ECDHE_DEFAULT_CURVE, + bind_conf->arg, bind_conf->file, bind_conf->line); cfgerr++; } else {