MEDIUM: ssl: fix detection of ephemeral diffie-hellman key exchange by using the cipher description.

In OpenSSL, the name of a cipher using ephemeral diffie-hellman for key exchange can start with EDH, but also DHE, EXP-EDH or EXP1024-DHE. We work around this issue by using the cipher's description instead of the cipher's name. Hopefully the description is less likely to change in the future.
2024-12-16 16:34:42 +00:00 · 2014-06-12 18:20:11 +02:00 · 2014-06-12 18:20:11 +02:00 · c1eab8c96f
commit c1eab8c96f
parent f46cd6e4ec
1 changed files with 12 additions and 8 deletions
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -1022,10 +1022,12 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 		SSL_MODE_RELEASE_BUFFERS;
 	STACK_OF(SSL_CIPHER) * ciphers = NULL;
 	SSL_CIPHER * cipher = NULL;
-	const char * cipher_name = NULL;
-	/* The name of ciphers using an Ephemeral Diffie Hellman key exchange
-	   starts with "EDH". */
-	const char edh_name[] = "EDH";
+	char cipher_description[128];
+	/* The description of ciphers using an Ephemeral Diffie Hellman key exchange
+	   contains " Kx=DH " or " Kx=DH(". Beware of " Kx=DH/",
+	   which is not ephemeral DH. */
+	const char dhe_description[] = " Kx=DH ";
+	const char dhe_export_description[] = " Kx=DH(";
 	int idx = 0;
 	int dhe_found = 0;

@ -1124,10 +1126,12 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 		if (ciphers) {
 			for (idx = 0; idx < sk_SSL_CIPHER_num(ciphers); idx++) {
 				cipher = sk_SSL_CIPHER_value(ciphers, idx);
-				cipher_name = SSL_CIPHER_get_name(cipher);
-				if (strncmp(cipher_name, edh_name, sizeof (edh_name)-1) == 0) {
-					dhe_found = 1;
-					break;
+				if (SSL_CIPHER_description(cipher, cipher_description, sizeof (cipher_description)) == cipher_description) {
+					if (strstr(cipher_description, dhe_description) != NULL ||
+					    strstr(cipher_description, dhe_export_description) != NULL) {
+						dhe_found = 1;
+						break;
+					}
 				}
 			}