Article delegate-en/4094 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4093@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: SSL no shared cipher
25 Aug 2008 05:36:56 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A4093@delegate-en.ML_> on 08/25/08(03:15:28)
you Andre <pzyhqbdyi-g7ilkru7mhjr.ml@ml.delegate.org> wrote:
 |I tested this with some other ciphers, also deliberately forcing a
 |specific cipher. When testing with the openssl s_server command,
 |Diffie-Hellman parameters are generated.
 |
 |According to [1]  in the NOTES section, there are some conditions for
 |specific ciphers. If these conditions are not met, it could cause a "no
 |shared cipher" error to be produced. It seems that this might be a
 |problem since I don't explicitly supply Diffie-Hellman parameters and I
 |don't know if the are generated on the fly by openssl, but I suspect
 |this to be not the case since this can take quite a while depending on
 |their length.

I noticed that I have not implemented Diffie-Hellman handling :-O
The enclosed patch does it by loading DH parameters from a file
"dhparam.pem" under the default certificate store of DeleGate
(CERTDIR = DGROOT/etc/certs by default).
The file can be created as follows for example:

  % openssl dhparam -5 -out $DGROOT/etc/certs/dhparam.pem

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


*** dist/src/delegate9.8.4-pre6/filters/sslway.c	Mon Aug 25 02:31:20 2008
--- sslway.c	Mon Aug 25 14:28:06 2008
***************
*** 343,348 ****
--- 343,356 ----
  void ENGINE_load_builtin_engines(void);/*OPT(0)*/
  void OPENSSL_add_all_algorithms_conf(void);/*OPT(0)*/
  
+ BIO *BIO_new_file(const char *filename, const char *mode);
+ typedef void DH;
+ DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u);
+ void DH_free(DH *dh);
+ #define SSL_CTRL_SET_TMP_DH 3
+ #define SSL_CTX_set_tmp_dh(ctx,dh) \
+         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
+ 
  #ifdef __cplusplus
  }
  #endif
***************
*** 1968,1973 ****
--- 1976,1998 ----
  	int code;
  	CertKey1 *cert1;
  
+ 	IStr(path,1024);
+ 	if( findcert("dhparam.pem",AVStr(path),0)
+ 	 || findcert("dhparam.der",AVStr(path),0)
+ 	){
+ 		BIO *Bp;
+ 		DH *dh;
+ 		DEBUG("-- loading DH PARAMS: %s",path);
+ 		if( Bp = BIO_new_file(path,"r") ){
+ 			if( dh = PEM_read_bio_DHparams(Bp,NULL,NULL,NULL) ){
+ 				SSL_CTX_set_tmp_dh(ctx,dh);
+ 				DH_free(dh);
+ 				TRACE("-- loaded DH PARAMS: %s",path);
+ 			}
+ 			BIO_free(Bp);
+ 		}
+ 	}
+ 
  	if( getcertdflt(ctx,clnt) ){
  		clnt |= GOTCERT;
  		VDEBUG("--CERTS setcerts clnt=%d ...",clnt);

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V