X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=10bfdd6b911e0a6ee669fe942de65edd8e6e80b1;hp=f757f3caa1a9dcbd673129c4d6d9a618856865c2;hb=e03c5b59f04684c55a173d1a8ac38df7e4b21c48;hpb=0a6028757a77769f09d5c6dd3a541971224a5d81 diff --git a/apps/s_server.c b/apps/s_server.c index f757f3caa1..10bfdd6b91 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -218,7 +218,6 @@ static void init_session_cache_ctx(SSL_CTX *sctx); static void free_sessions(void); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); -static DH *get_dh512(void); #endif #ifdef MONOLITH @@ -239,33 +238,6 @@ static int client_provided_client_authz = 0; #endif -#ifndef OPENSSL_NO_DH -static unsigned char dh512_p[]={ - 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, - 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, - 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, - 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, - 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, - 0x47,0x74,0xE8,0x33, - }; -static unsigned char dh512_g[]={ - 0x02, - }; - -static DH *get_dh512(void) - { - DH *dh=NULL; - - if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); - dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) - return(NULL); - return(dh); - } -#endif - - /* static int load_CA(SSL_CTX *ctx, char *file);*/ #undef BUFSIZZ @@ -1058,7 +1030,7 @@ int MAIN(int argc, char *argv[]) EVP_PKEY *s_key = NULL, *s_dkey = NULL; int no_cache = 0, ext_cache = 0; int rev = 0, naccept = -1; - int c_no_resumption_on_reneg = 0; + int sdebug = 0; #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; @@ -1183,10 +1155,6 @@ int MAIN(int argc, char *argv[]) c_auth = 1; } #endif - else if (strcmp(*argv, "-no_resumption_on_reneg") == 0) - { - c_no_resumption_on_reneg = 1; - } else if (strcmp(*argv,"-auth_require_reneg") == 0) { c_auth_require_reneg = 1; @@ -1377,6 +1345,10 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-trace") == 0) { s_msg=2; } #endif + else if (strcmp(*argv,"-security_debug") == 0) + { sdebug=1; } + else if (strcmp(*argv,"-security_debug_verbose") == 0) + { sdebug=2; } else if (strcmp(*argv,"-hack") == 0) { hack=1; } else if (strcmp(*argv,"-state") == 0) @@ -1776,6 +1748,8 @@ bad: } ctx=SSL_CTX_new(meth); + if (sdebug) + ssl_ctx_security_debug(ctx, bio_err, sdebug); if (ctx == NULL) { ERR_print_errors(bio_err); @@ -1865,6 +1839,9 @@ bad: { BIO_printf(bio_s_out,"Setting secondary ctx parameters\n"); + if (sdebug) + ssl_ctx_security_debug(ctx, bio_err, sdebug); + if (session_id_prefix) { if(strlen(session_id_prefix) >= 32) @@ -1936,11 +1913,18 @@ bad: else { BIO_printf(bio_s_out,"Using default temp DH parameters\n"); - dh=get_dh512(); } (void)BIO_flush(bio_s_out); - SSL_CTX_set_tmp_dh(ctx,dh); + if (dh == NULL) + SSL_CTX_set_dh_auto(ctx, 1); + else if (!SSL_CTX_set_tmp_dh(ctx,dh)) + { + BIO_puts(bio_err, "Error setting temp DH parameters\n"); + ERR_print_errors(bio_err); + DH_free(dh); + goto end; + } #ifndef OPENSSL_NO_TLSEXT if (ctx2) { @@ -1956,15 +1940,21 @@ bad: dh = dh2; } } - SSL_CTX_set_tmp_dh(ctx2,dh); + if (dh == NULL) + SSL_CTX_set_dh_auto(ctx2, 1); + else if (!SSL_CTX_set_tmp_dh(ctx2,dh)) + { + BIO_puts(bio_err, "Error setting temp DH parameters\n"); + ERR_print_errors(bio_err); + DH_free(dh); + goto end; + } } #endif DH_free(dh); } #endif - if (c_no_resumption_on_reneg) - SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT