Article delegate-en/4095 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4094@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: SSL no shared cipher
25 Aug 2008 09:51:18 GMT Andre <pzyhqbdyi-mnhipghrs5jr.ml@ml.delegate.org>


Hi.

Thanks again for the quick response. The supplied patch works like a charm.

Best regards,
Andre

Yutaka Sato schrieb:
> Hi,
>
> In message <_A4093@delegate-en.ML_> on 08/25/08(03:15:28)
> you Andre <pzyhqbdyi-mnhipghrs5jr.ml@ml.delegate.org> wrote:
>  |I tested this with some other ciphers, also deliberately forcing a
>  |specific cipher. When testing with the openssl s_server command,
>  |Diffie-Hellman parameters are generated.
>  |
>  |According to [1]  in the NOTES section, there are some conditions for
>  |specific ciphers. If these conditions are not met, it could cause a "no
>  |shared cipher" error to be produced. It seems that this might be a
>  |problem since I don't explicitly supply Diffie-Hellman parameters and I
>  |don't know if the are generated on the fly by openssl, but I suspect
>  |this to be not the case since this can take quite a while depending on
>  |their length.
>
> I noticed that I have not implemented Diffie-Hellman handling :-O
> The enclosed patch does it by loading DH parameters from a file
> "dhparam.pem" under the default certificate store of DeleGate
> (CERTDIR = DGROOT/etc/certs by default).
> The file can be created as follows for example:
>
>   % openssl dhparam -5 -out $DGROOT/etc/certs/dhparam.pem
>
> Cheers,
> Yutaka
> --
>   9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
>  ( ~ )  National Institute of Advanced Industrial Science and Technology
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller
>
>
> *** dist/src/delegate9.8.4-pre6/filters/sslway.c	Mon Aug 25 02:31:20 2008
> --- sslway.c	Mon Aug 25 14:28:06 2008
> ***************
> *** 343,348 ****
> --- 343,356 ----
>   void ENGINE_load_builtin_engines(void);/*OPT(0)*/
>   void OPENSSL_add_all_algorithms_conf(void);/*OPT(0)*/
>   
> + BIO *BIO_new_file(const char *filename, const char *mode);
> + typedef void DH;
> + DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u);
> + void DH_free(DH *dh);
> + #define SSL_CTRL_SET_TMP_DH 3
> + #define SSL_CTX_set_tmp_dh(ctx,dh) \
> +         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
> + 
>   #ifdef __cplusplus
>   }
>   #endif
> ***************
> *** 1968,1973 ****
> --- 1976,1998 ----
>   	int code;
>   	CertKey1 *cert1;
>   
> + 	IStr(path,1024);
> + 	if( findcert("dhparam.pem",AVStr(path),0)
> + 	 || findcert("dhparam.der",AVStr(path),0)
> + 	){
> + 		BIO *Bp;
> + 		DH *dh;
> + 		DEBUG("-- loading DH PARAMS: %s",path);
> + 		if( Bp = BIO_new_file(path,"r") ){
> + 			if( dh = PEM_read_bio_DHparams(Bp,NULL,NULL,NULL) ){
> + 				SSL_CTX_set_tmp_dh(ctx,dh);
> + 				DH_free(dh);
> + 				TRACE("-- loaded DH PARAMS: %s",path);
> + 			}
> + 			BIO_free(Bp);
> + 		}
> + 	}
> + 
>   	if( getcertdflt(ctx,clnt) ){
>   		clnt |= GOTCERT;
>   		VDEBUG("--CERTS setcerts clnt=%d ...",clnt);
>   


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V