Mercurial > hg > nginx

changeset 6554:1aa9650a8154

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: removed default DH parameters. Using the same DH parameters on multiple servers is believed to be subject to precomputation attacks, see http://weakdh.org/. Additionally, 1024 bits are not enough in the modern world as well. Let users provide their own DH parameters with the ssl_dhparam directive if they want to use EDH ciphers. Note that SSL_CTX_set_dh_auto() as provided by OpenSSL 1.1.0 uses fixed DH parameters from RFC 5114 and RFC 3526, and therefore subject to the same precomputation attacks. We avoid using it as well. This change also fixes compilation with OpenSSL 1.1.0-pre5 (aka Beta 2), as OpenSSL developers changed their policy after releasing Beta 1 and broke API once again by making the DH struct opaque (see ticket #860).
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 19 May 2016 14:46:32 +0300
parents 2014ed60f17f
children 090a78da4f88
files src/event/ngx_event_openssl.c
diffstat 1 files changed, 0 insertions(+), 45 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -981,52 +981,7 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_
     DH   *dh;
     BIO  *bio;
 
-    /*
-     * -----BEGIN DH PARAMETERS-----
-     * MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc
-     * y7qokiYUxb7spWWl/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl
-     * 7OZicMyaUDXYzs7vnqAnSmOrHlj6/UmI0PZdFGdX2gcd8EXP4WubAgEC
-     * -----END DH PARAMETERS-----
-     */
-
-    static unsigned char dh1024_p[] = {
-        0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5,
-        0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B,
-        0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76,
-        0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5,
-        0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04,
-        0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04,
-        0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF,
-        0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50,
-        0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E,
-        0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA,
-        0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B
-    };
-
-    static unsigned char dh1024_g[] = { 0x02 };
-
-
     if (file->len == 0) {
-
-        dh = DH_new();
-        if (dh == NULL) {
-            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "DH_new() failed");
-            return NGX_ERROR;
-        }
-
-        dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
-        dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
-
-        if (dh->p == NULL || dh->g == NULL) {
-            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed");
-            DH_free(dh);
-            return NGX_ERROR;
-        }
-
-        SSL_CTX_set_tmp_dh(ssl->ctx, dh);
-
-        DH_free(dh);
-
         return NGX_OK;
     }