-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Fixed incorrect SSL_CTX_set0_tmp_dh_pkey() usage #4663
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well, you broke quite a bit of things with this, please see what else needs to be adressed; won't be merged unless CI is all green
Hi all, The error messages show that the newly introduced exception which is raised if SSL_CTX_set0_tmp_dh_pkey() returns with an error is triggering the failures in the CI.
OpenSSL rejects the given DH key because it is too small. Prior to this PR this rejection was not reported, leaving the client under the impression that the given DH keys were accepted. My guess is that the machines running the failing tests are configured to use SECLEVEL=2 (see https://stackoverflow.com/questions/61626206/what-could-cause-dh-key-too-small-error ) and thereby do not support 1024-bit DH keys. These errors go away if you change dhUse2048Bits from false to true in @aleks-f Could changing dhUse2048Bits in Context::Params::Params() be the way forward? PS: On my machine this change brings the errors down to two errors (probably unrelated?)
|
Yes, but let's introduce the default values as parameters to the
yes, unrelated |
moved to #4753 |
This simple program crashes POCO (tested under Red Hat Enterprise Linux 9.4):
The problem is an incorrect usage of SSL_CTX_set0_tmp_dh_pkey() in Context::initDH(). The return value is not evaluated and the key is freed even if it has been successfully transferred to the SSL Context.
The relevant part of the OpenSSL manpage https://docs.openssl.org/3.1/man3/SSL_CTX_set_tmp_dh_callback/: