From: Remi Gacogne Date: Thu, 12 Jun 2014 16:20:11 +0000 (+0200) Subject: MEDIUM: ssl: fix detection of ephemeral diffie-hellman key exchange by using the... X-Git-Tag: v1.5.0~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c1eab8c96f06dc8c28086955477aafff987da6db;p=thirdparty%2Fhaproxy.git MEDIUM: ssl: fix detection of ephemeral diffie-hellman key exchange by using the cipher description. In OpenSSL, the name of a cipher using ephemeral diffie-hellman for key exchange can start with EDH, but also DHE, EXP-EDH or EXP1024-DHE. We work around this issue by using the cipher's description instead of the cipher's name. Hopefully the description is less likely to change in the future. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index bfbb5b8fcb..8fb8b5f037 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1022,10 +1022,12 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy SSL_MODE_RELEASE_BUFFERS; STACK_OF(SSL_CIPHER) * ciphers = NULL; SSL_CIPHER * cipher = NULL; - const char * cipher_name = NULL; - /* The name of ciphers using an Ephemeral Diffie Hellman key exchange - starts with "EDH". */ - const char edh_name[] = "EDH"; + char cipher_description[128]; + /* The description of ciphers using an Ephemeral Diffie Hellman key exchange + contains " Kx=DH " or " Kx=DH(". Beware of " Kx=DH/", + which is not ephemeral DH. */ + const char dhe_description[] = " Kx=DH "; + const char dhe_export_description[] = " Kx=DH("; int idx = 0; int dhe_found = 0; @@ -1124,10 +1126,12 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy if (ciphers) { for (idx = 0; idx < sk_SSL_CIPHER_num(ciphers); idx++) { cipher = sk_SSL_CIPHER_value(ciphers, idx); - cipher_name = SSL_CIPHER_get_name(cipher); - if (strncmp(cipher_name, edh_name, sizeof (edh_name)-1) == 0) { - dhe_found = 1; - break; + if (SSL_CIPHER_description(cipher, cipher_description, sizeof (cipher_description)) == cipher_description) { + if (strstr(cipher_description, dhe_description) != NULL || + strstr(cipher_description, dhe_export_description) != NULL) { + dhe_found = 1; + break; + } } }