diff options
author | Steffan Karger <steffan@karger.me> | 2014-01-01 21:10:24 +0100 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2014-01-03 15:08:27 +0100 |
commit | 813aa55754c27bdae5380dce415497a574b47e1b (patch) | |
tree | 224f87b033cbd9b257a5543e5d77c0026664e2d4 /src/openvpn/ssl_openssl.c | |
parent | cb03dca83e37fd65666bf776f39da902fb10acbc (diff) | |
download | openvpn-813aa55754c27bdae5380dce415497a574b47e1b.tar.gz openvpn-813aa55754c27bdae5380dce415497a574b47e1b.tar.xz openvpn-813aa55754c27bdae5380dce415497a574b47e1b.zip |
Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in TLS.
This code would not really generate ephemeral keys every time it is called,
but a single key that would be reused during process lifetime and returned
each time the function was called; probably not what users would expect.
TLS allowes ephemeral keys to be used only when no other key exchange, such
as (ephemeral) Diffie-Hellman, is performed. The end result is that it was
only used by a number of (weak) export ciphers, which could give users a
false sense of security.
So, instead of fixing a weak cipher mode, we'll just remove support for it
completely. Plenty of better alternatives are available in TLS.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-5-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8152
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl_openssl.c')
-rw-r--r-- | src/openvpn/ssl_openssl.c | 18 |
1 files changed, 0 insertions, 18 deletions
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 1c6291f..08327a1 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -93,22 +93,6 @@ tls_clear_error() ERR_clear_error (); } -/* - * OpenSSL callback to get a temporary RSA key, mostly - * used for export ciphers. - */ -static RSA * -tmp_rsa_cb (SSL * s, int is_export, int keylength) -{ - static RSA *rsa_tmp = NULL; - if (rsa_tmp == NULL) - { - msg (D_HANDSHAKE, "Generating temp (%d bit) RSA key", keylength); - rsa_tmp = RSA_generate_key (keylength, RSA_F4, NULL, NULL); - } - return (rsa_tmp); -} - void tls_ctx_server_new(struct tls_root_ctx *ctx) { @@ -118,8 +102,6 @@ tls_ctx_server_new(struct tls_root_ctx *ctx) if (ctx->ctx == NULL) msg (M_SSLERR, "SSL_CTX_new SSLv23_server_method"); - - SSL_CTX_set_tmp_rsa_callback (ctx->ctx, tmp_rsa_cb); } void |