BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten
Hervé Commowick reported that the logic used to avoid complaining about
ssl-default-dh-param not being set when static DH params are present
in the certificate file was clearly wrong when more than one sni_ctx
is used.
This patch stores whether static DH params are being used for each
SSL_CTX individually, and does not overwrite the value of
tune.ssl.default-dh-param.
(cherry picked from commit 4f902b88323927c9d25d391a809e3678ac31df41)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index a78fc6a..0f7819b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -47,6 +47,9 @@
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
#include <openssl/ocsp.h>
#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
#include <common/buffer.h>
#include <common/compat.h>
@@ -107,6 +110,7 @@
int totalsslconns = 0;
#ifndef OPENSSL_NO_DH
+static int ssl_dh_ptr_index = -1;
static DH *local_dh_1024 = NULL;
static DH *local_dh_2048 = NULL;
static DH *local_dh_4096 = NULL;
@@ -1076,10 +1080,12 @@
if (dh) {
ret = 1;
SSL_CTX_set_tmp_dh(ctx, dh);
- /* Setting ssl default dh param to the size of the static DH params
- found in the file. This way we know that there is no use
- complaining later about ssl-default-dh-param not being set. */
- global.tune.ssl_default_dh_param = DH_size(dh) * 8;
+
+ if (ssl_dh_ptr_index >= 0) {
+ /* store a pointer to the DH params to avoid complaining about
+ ssl-default-dh-param not being set for this SSL_CTX */
+ SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, dh);
+ }
}
else {
/* Clear openssl global errors stack */
@@ -1274,6 +1280,12 @@
* the tree, so it will be discovered and cleaned in time.
*/
#ifndef OPENSSL_NO_DH
+ /* store a NULL pointer to indicate we have not yet loaded
+ a custom DH param file */
+ if (ssl_dh_ptr_index >= 0) {
+ SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL);
+ }
+
ret = ssl_sock_load_dh_params(ctx, path);
if (ret < 0) {
if (err)
@@ -1593,7 +1605,9 @@
/* If tune.ssl.default-dh-param has not been set and
no static DH params were in the certificate file. */
- if (global.tune.ssl_default_dh_param == 0) {
+ if (global.tune.ssl_default_dh_param == 0 &&
+ (ssl_dh_ptr_index == -1 ||
+ SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) {
ciphers = ctx->cipher_list;
if (ciphers) {
@@ -4715,6 +4729,10 @@
bind_register_keywords(&bind_kws);
srv_register_keywords(&srv_kws);
cfg_register_keywords(&cfg_kws);
+
+#ifndef OPENSSL_NO_DH
+ ssl_dh_ptr_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+#endif
}
__attribute__((destructor))