tls: use default OpenSSL built-in DH parameters

Type: improvement Motivation for this addition is to add support for cipher suites that use Diffie-Hellman Ephemeral (DHE) for key exchange. Using ephemeral DH key exchange yields forward secrecy as the connection can only be decrypted when the DH key is known. Configure OpenSSL to use the default built-in DH parameters for the SSL_CTX object. Change-Id: I31aadad047a6394ddf8bfa08471c239e0d1cd63c Signed-off-by: Ofer Heifetz <oferh@marvell.com>
author: Ofer Heifetz <oferh@marvell.com> 2021-07-25 19:37:46 +0300
committer: Florin Coras <florin.coras@gmail.com> 2021-08-30 14:05:05 +0000
commit: 18599c5861d96723359997f2c70fc28fcac0e984 (patch)
tree: 2cbbc9e5c25ec3ad1165e6a4d00b08cd381d5976 /src/plugins/tlsopenssl
parent: 1b6b09bb514831050b23397c078933c2ace3ff36 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index fa223433c22..3041047a71e 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -749,6 +749,14 @@ openssl_start_listen (tls_ctx_t * lctx)
       return -1;
     }
 
+  /* use the default OpenSSL built-in DH parameters */
+  rv = SSL_CTX_set_dh_auto (ssl_ctx, 1);
+  if (rv != 1)
+    {
+      TLS_DBG (1, "Couldn't set temp DH parameters");
+      return -1;
+    }
+
   /*
    * Set the key and cert
    */
author	Ofer Heifetz <oferh@marvell.com>	2021-07-25 19:37:46 +0300
committer	Florin Coras <florin.coras@gmail.com>	2021-08-30 14:05:05 +0000
commit	18599c5861d96723359997f2c70fc28fcac0e984 (patch)
tree	2cbbc9e5c25ec3ad1165e6a4d00b08cd381d5976 /src/plugins/tlsopenssl
parent	1b6b09bb514831050b23397c078933c2ace3ff36 (diff)