[AOLSERVER-COMMITS] nsopenssl ChangeLog, 1.118, 1.119 sslcontext.c, 1.12, 1.13

[Scott S. G. <sc...@us...>]

Update of /cvsroot/aolserver/nsopenssl
In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv6781

Modified Files:
	ChangeLog sslcontext.c 
Log Message:
Set up ECDH parameters to enable the use of ciphers that require these
parameters, some of which provide for forward secrecy. Without configured ECDH
paramaters, OpenSSL silently ignores ciphers that require them, even if you
expliticly add them to the CipherSuite configuration string. Also minor cleanup
of the DH code committed yesterday.

See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman


Index: sslcontext.c
===================================================================
RCS file: /cvsroot/aolserver/nsopenssl/sslcontext.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -C2 -d -r1.12 -r1.13
*** sslcontext.c	16 Dec 2016 16:45:41 -0000	1.12
--- sslcontext.c	17 Dec 2016 22:55:49 -0000	1.13
***************
*** 267,281 ****
       */
  
!     DH *dh = get_dh1024 ();
!     if (SSL_CTX_set_tmp_dh(sslcontext->sslctx, dh) == 1) {
          Ns_Log(Notice, "%s (%s): DH parameters (1024 bit) set", 
              MODULE, server);
!         /* This apparently prevents some sort of DH attack */
          SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_SINGLE_DH_USE);
      } else {
!         Ns_Log(Error, "%s (%s): failed to set DH parameters - some ciphers will not be available", 
              MODULE, server);
      }
!     DH_free (dh);
  
      /*
--- 267,305 ----
       */
  
!     DH *dh = get_dh1024();
!     if (dh == NULL || SSL_CTX_set_tmp_dh(sslcontext->sslctx, dh) == 0) {
!         Ns_Log(Error, "%s (%s): failed to set DH parameters - some ciphers will not be available", 
!             MODULE, server);
!     } else {
          Ns_Log(Notice, "%s (%s): DH parameters (1024 bit) set", 
              MODULE, server);
! 	/*
!          * Necessary for OpenSSL 1.0.2 - 1.0.2e to fix vulnerability.
!          * Works in OpenSSL < 1.0.2 to prevent using same DH params repeatedly.
!          * No effect in OpenSSL > 1.0.2e which forces it on regardless.
!          */
          SSL_CTX_set_options(sslcontext->sslctx, SSL_OP_SINGLE_DH_USE);
+     }
+     DH_free(dh);
+ 
+     /*
+      * Set up ECDH parameters to enable the use of ciphers that require these
+      * parameters, some of which provide for forward secrecy. Without
+      * configured ECDH paramaters, OpenSSL silently ignores ciphers that
+      * require them, even if you expliticly add them to the CipherSuite
+      * configuration string. 
+      *
+      * See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman
+      */
+ 
+     EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+     if (ecdh == NULL || SSL_CTX_set_tmp_ecdh(sslcontext->sslctx, ecdh) == 1) {
+         Ns_Log(Error, "%s (%s): failed to set ECDH parameters - some ciphers will not be available",
+             MODULE, server);
      } else {
!         Ns_Log(Notice, "%s (%s): ECDH parameters set using the prime256v1 curve", 
              MODULE, server);
      }
!     EC_KEY_free (ecdh);
  
      /*

Index: ChangeLog
===================================================================
RCS file: /cvsroot/aolserver/nsopenssl/ChangeLog,v
retrieving revision 1.118
retrieving revision 1.119
diff -C2 -d -r1.118 -r1.119
*** ChangeLog	16 Dec 2016 16:45:41 -0000	1.118
--- ChangeLog	17 Dec 2016 22:55:49 -0000	1.119
***************
*** 1,2 ****
--- 1,23 ----
+ 2016-12-17  Scott S. Goodwin <sc...@sc...>
+ 
+ 	* sslcontext.c: Set up ECDH parameters to enable the use of ciphers
+ 	  that require these parameters, some of which provide for forward
+ 	  secrecy. Without configured ECDH paramaters, OpenSSL silently ignores
+ 	  ciphers that require them, even if you expliticly add them to the
+ 	  CipherSuite configuration string. Also minor cleanup of the DH code
+ 	  committed yesterday.
+ 
+ 	  See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman
+ 
+ 2016-12-16  Scott S. Goodwin <sc...@sc...>
+ 
+ 	* sslcontext.c: Set up ECDH parameters to enable the use of ciphers
+ 	  that require these parameters, some of which provide for forward
+ 	  secrecy. Without configured ECDH paramaters, OpenSSL silently ignores
+ 	  ciphers that require them, even if you expliticly add them to the
+ 	  CipherSuite configuration string.
+ 
+ 	  See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman
+ 
  2016-12-16  Scott S. Goodwin <sc...@sc...>
  
***************
*** 9,12 ****
--- 30,47 ----
  	  distribution in apps/dh1024.pem.
  
+ 	  We create the .h file this way:
+ 
+ 	  $OPENSSL dhparam -inform PEM -in $DH_PEM_FILE -C -noout >> $DH_C_FILE
+ 
+ 	  Where:
+ 
+ 	  DH_PEM_FILE -> OpenSSL source dist apps/dh1024.pem file
+ 	  DH_C_FILE -> dh1024.h in the nsopenssl distribution directory
+ 
+ 	  The source dh1024.pem file might be regenerated and a new one supplied
+ 	  with each release of OpenSSL.
+ 
+ 	  See: https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
+ 
  2004-11-20  tag v3_0beta26