ossl netstream driver: allow ephemeral Diffie-Hellman key exchange #5323
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use well known DH parameters that have built-in support in OpenSSL. From the man page: If "auto" DH parameters are switched on then the parameters will be selected to be consistent with the size of the key associated with the server's certificate. If there is no certificate (e.g. for PSK ciphersuites), then it it will be consistent with the size of the negotiated symmetric cipher key.
Current situation
Using the ossl netstream driver, I am not able to create an
imtcp
instance, which uses only the following cipher list (the highlight is on the ephemeral DH exchange part) :Configuration snippet:
The problem is that the requested ciphers are not available even if I delete the priorityString setting. This does not apply to the
gtls
driver. The following works as expected:After applying the patch, I used
nmap
to verify which ciphers are used by animtcp
connection. Using the first rsyslog snippet: