Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in…

… TLS. This code would not really generate ephemeral keys every time it is called, but a single key that would be reused during process lifetime and returned each time the function was called; probably not what users would expect. TLS allowes ephemeral keys to be used only when no other key exchange, such as (ephemeral) Diffie-Hellman, is performed. The end result is that it was only used by a number of (weak) export ciphers, which could give users a false sense of security. So, instead of fixing a weak cipher mode, we'll just remove support for it completely. Plenty of better alternatives are available in TLS. Signed-off-by: Steffan Karger <[email protected]> Acked-by: Arne Schwabe <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: http://article.gmane.org/gmane.network.openvpn.devel/8152 Signed-off-by: Gert Doering <[email protected]>
julek-wolfssl · Jan 3, 2014 · 813aa55 · 813aa55
1 parent cb03dca
commit 813aa55
Showing 1 changed file with 0 additions and 18 deletions.
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
@@ -93,22 +93,6 @@ tls_clear_error()
   ERR_clear_error ();
 }
 
-/*
- * OpenSSL callback to get a temporary RSA key, mostly
- * used for export ciphers.
- */
-static RSA *
-tmp_rsa_cb (SSL * s, int is_export, int keylength)
-{
-  static RSA *rsa_tmp = NULL;
-  if (rsa_tmp == NULL)
-    {
-      msg (D_HANDSHAKE, "Generating temp (%d bit) RSA key", keylength);
-      rsa_tmp = RSA_generate_key (keylength, RSA_F4, NULL, NULL);
-    }
-  return (rsa_tmp);
-}
-
 void
 tls_ctx_server_new(struct tls_root_ctx *ctx)
 {
@@ -118,8 +102,6 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
 
   if (ctx->ctx == NULL)
     msg (M_SSLERR, "SSL_CTX_new SSLv23_server_method");
-
-  SSL_CTX_set_tmp_rsa_callback (ctx->ctx, tmp_rsa_cb);
 }
 
 void