Check-in [83b1dea4d4]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Updated references to DH parameter bit sizes and ensure error messages are printed if generating fails entirely
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1:83b1dea4d46e2bd47d767d3c3ce468ec07215faf
User & Date: rkeene 2017-04-18 14:29:27
Context
2017-04-18
14:39
Updated gen_dh_params to support specifying a number of bits -- currently the only supported value is 2048 check-in: b128e0d4e4 user: rkeene tags: trunk
14:29
Updated references to DH parameter bit sizes and ensure error messages are printed if generating fails entirely check-in: 83b1dea4d4 user: rkeene tags: trunk
2016-12-17
15:43
Integrated -autoservername feature (addresses [0d4541b86d]) check-in: 42735119d8 user: rkeene tags: trunk
Changes

Changes to gen_dh_params.

     1      1   #! /usr/bin/env sh
     2      2   
     3      3   bits='2048'
     4      4   
     5      5   openssl_dhparam() {
     6      6   	if [ -x "`which openssl 2>/dev/null`" ]; then
     7      7   		o_output="`openssl dhparam -C "$@" 2>/dev/null`" || return 1
            8  +		o_output="`echo "${o_output}" | sed 's/get_dh[0-9]\+/get_dhParams/'`" || return 1
     8      9   		o_output="`echo "${o_output}" | sed '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d'`" || return 1
     9     10   
    10     11   		echo "${o_output}"
    11     12   
    12     13   		return 0
    13     14   	fi
    14     15   
................................................................................
    32     33   		return 0
    33     34   	fi
    34     35   
    35     36   	return 1
    36     37   }
    37     38   
    38     39   gen_dh_params_fallback() {
    39         -	cat << \_EOF_
    40         -DH *get_dh2048(void) {
           40  +	if [ "${bits}" = '2048' ]; then
           41  +		cat << \_EOF_
           42  +DH *get_dhParams(void) {
    41     43   	static unsigned char dhp_2048[] = {
    42     44   		0xC1,0x51,0x58,0x69,0xFB,0xE8,0x6C,0x47,0x2B,0x86,0x61,0x4F,
    43     45   		0x20,0x2E,0xD3,0xFC,0x19,0xEE,0xB8,0xF3,0x35,0x7D,0xBA,0x86,
    44     46   		0x2A,0xC3,0xC8,0x6E,0xF4,0x99,0x75,0x65,0xD3,0x7A,0x9E,0xDF,
    45     47   		0xD4,0x1F,0x88,0xE3,0x17,0xFC,0xA1,0xED,0xA2,0xB6,0x77,0x84,
    46     48   		0xAA,0x08,0xF2,0x97,0x59,0x7A,0xA0,0x03,0x0D,0x3E,0x7E,0x6D,
    47     49   		0x65,0x6A,0xA4,0xEA,0x54,0xA9,0x52,0x5F,0x63,0xB4,0xBC,0x98,
................................................................................
    89     91   		BN_free(dhg_bn);
    90     92   		return(NULL);
    91     93   	}
    92     94   
    93     95   	return(dh);
    94     96   }
    95     97   _EOF_
           98  +
           99  +		return 0
          100  +	fi
          101  +
          102  +	return 1
    96    103   }
    97    104   
    98    105   # Enable support for giving the same DH params each time
    99    106   if [ "$1" = 'fallback' ]; then
   100    107   	gen_dh_params_fallback && exit 0
          108  +
          109  +	echo "Unable to generate fallback parameters for DH of ${bits} bits" >&2
   101    110   
   102    111   	exit 1
   103    112   fi
   104    113   
   105    114   echo "*****************************" >&2
   106    115   echo "** Generating DH Primes.   **" >&2
   107    116   echo "** This will take a while. **" >&2
   108    117   echo "*****************************" >&2
   109    118   gen_dh_params_openssl && exit 0
   110    119   gen_dh_params_remote && exit 0
   111    120   gen_dh_params_fallback && exit 0
          121  +
          122  +echo "Unable to generate parameters for DH of ${bits} bits" >&2
   112    123   
   113    124   exit 1

Changes to tls.c.

  1177   1177   	    if (!dh) {
  1178   1178   		Tcl_AppendResult(interp,
  1179   1179   		    "Could not read DH parameters from file", (char *) NULL);
  1180   1180   		SSL_CTX_free(ctx);
  1181   1181   		return (SSL_CTX *)0;
  1182   1182   	    }
  1183   1183   	} else {
  1184         -	    dh = get_dh2048();
         1184  +	    dh = get_dhParams();
  1185   1185   	}
  1186   1186   	SSL_CTX_set_tmp_dh(ctx, dh);
  1187   1187   	DH_free(dh);
  1188   1188       }
  1189   1189   #endif
  1190   1190   
  1191   1191       /* set our certificate */