commit 23d5d378d008eaf31c17657eb8020b1462f42280
author Remi Gacogne <rgacogne[at]aquaray[dot]fr> Fri Oct 10 17:04:26 2014 +0200
committer Willy Tarreau <w@1wt.eu> Mon Oct 20 18:01:06 2014 +0200
tree 4e4160d5b833f39b70d70b2ae6fe68cfa03a4c81
parent fad4ffc89337277f3d5ed32b66986730e891558a

MINOR: ssl: use SSL_get_ciphers() instead of directly accessing the cipher list.

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c35d7ff..4e39c8b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1478,9 +1478,8 @@
 		SSL_MODE_ENABLE_PARTIAL_WRITE |
 		SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
 		SSL_MODE_RELEASE_BUFFERS;
-#ifndef OPENSSL_IS_BORINGSSL
 	STACK_OF(SSL_CIPHER) * ciphers = NULL;
-	SSL_CIPHER * cipher = NULL;
+	SSL_CIPHER const * cipher = NULL;
 	char cipher_description[128];
 	/* The description of ciphers using an Ephemeral Diffie Hellman key exchange
 	   contains " Kx=DH " or " Kx=DH(". Beware of " Kx=DH/",
@@ -1489,10 +1488,7 @@
 	const char dhe_export_description[] = " Kx=DH(";
 	int idx = 0;
 	int dhe_found = 0;
-#else /* OPENSSL_IS_BORINGSSL */
-	/* assume dhe_found if boringssl is detected */
-	int dhe_found = 1;
-#endif
+	SSL *ssl = NULL;
 
 	/* Make sure openssl opens /dev/urandom before the chroot */
 	if (!ssl_initialize_random()) {
@@ -1585,22 +1581,26 @@
 	   no static DH params were in the certificate file. */
 	if (global.tune.ssl_default_dh_param == 0) {
 
-#ifndef OPENSSL_IS_BORINGSSL
-		ciphers = ctx->cipher_list;
+		ssl = SSL_new(ctx);
 
-		if (ciphers) {
-			for (idx = 0; idx < sk_SSL_CIPHER_num(ciphers); idx++) {
-				cipher = sk_SSL_CIPHER_value(ciphers, idx);
-				if (SSL_CIPHER_description(cipher, cipher_description, sizeof (cipher_description)) == cipher_description) {
-					if (strstr(cipher_description, dhe_description) != NULL ||
-					    strstr(cipher_description, dhe_export_description) != NULL) {
-						dhe_found = 1;
-						break;
+		if (ssl) {
+			ciphers = SSL_get_ciphers(ssl);
+
+			if (ciphers) {
+				for (idx = 0; idx < sk_SSL_CIPHER_num(ciphers); idx++) {
+					cipher = sk_SSL_CIPHER_value(ciphers, idx);
+					if (SSL_CIPHER_description(cipher, cipher_description, sizeof (cipher_description)) == cipher_description) {
+						if (strstr(cipher_description, dhe_description) != NULL ||
+						    strstr(cipher_description, dhe_export_description) != NULL) {
+							dhe_found = 1;
+							break;
+						}
 					}
 				}
 			}
+			SSL_free(ssl);
+			ssl = NULL;
 		}
-#endif /* OPENSSL_IS_BORINGSSL */
 
 		if (dhe_found) {
 			Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n");