Enable built-in OpenSSL DH parameters to allow DHE TLS ciphers #9811
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Non-ECC DHE ciphers in the
cipher_list
attribute ofApiListener
(the default value includes these) had no effect as no DH parameters were available and therefore the server wouldn't offer these ciphers. OpenSSL provides built-in DH parameters starting from version 1.1.0, however, these have to be enables explicitly using theSSL_CTX_set_dh_auto()
function. This commit does so and thereby makes it possible to establish a connection to an Icinga 2 server using a DHE cipher.Tests
Availability of DHE ciphers
Diff of sslscan between the current master and this PR running in container built using docker-icinga2 (Debian 11, OpenSSL 1.1.1n):
Full output for master
Full output for this PR
DH group size
Note that with
SSL_CTX_set_dh_auto()
, OpenSSL chooses the DH group based on the key size in the server certificate.critical/SSL: Error with public key file '/var/lib/icinga2/certs//agent-1.crt': 336245135, "error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small"
, which is probably good as I guess it might use a 1024 bit group otherwise.Limitations
#else
branch.refs #9809 (comment)