From 39439c8f974c07bcf795403c3a0a4d54711ebdc7 Mon Sep 17 00:00:00 2001 From: Vitezslav Crhonek Date: Mon, 16 Jun 2025 13:50:17 +0200 Subject: [PATCH 1/2] Fix for post-quantum cryptography in TLS Remove deprecated 'EC_KEY_new_by_curve_name' and add configuration option for fall back certificate/key pair. Signed-off-by: Vitezslav Crhonek --- etc/openwsman.conf | 4 ++++ src/server/shttpd/shttpd.c | 15 +++++++++------ src/server/wsmand-daemon.c | 14 ++++++++++++++ src/server/wsmand-daemon.h | 2 ++ 4 files changed, 29 insertions(+), 6 deletions(-) diff --git a/etc/openwsman.conf b/etc/openwsman.conf index 84326f23f..fa36ecb8b 100644 --- a/etc/openwsman.conf +++ b/etc/openwsman.conf @@ -32,8 +32,12 @@ ipv6 = yes # the openwsman server certificate file, in .pem format ssl_cert_file = /etc/openwsman/servercert.pem +# the openwsman server certificate fallback file, in .pem format +#ssl_cert_fallback_file = /etc/openwsman/servercert-fallback.pem # the openwsman server private key, in .pem format ssl_key_file = /etc/openwsman/serverkey.pem +# the openwsman server private key fallback, in .pem format +#ssl_key_fallback_file = /etc/openwsman/serverkey-fallback.pem # space-separated list of SSL protocols to *dis*able # possible values: SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv1_2 diff --git a/src/server/shttpd/shttpd.c b/src/server/shttpd/shttpd.c index e8b2a5b3a..0f0e01a37 100644 --- a/src/server/shttpd/shttpd.c +++ b/src/server/shttpd/shttpd.c @@ -1508,7 +1508,6 @@ set_ssl(struct shttpd_ctx *ctx, const char *pem) char *ssl_disabled_protocols = wsmand_options_get_ssl_disabled_protocols(); char *ssl_cipher_list = wsmand_options_get_ssl_cipher_list(); int retval = FALSE; - EC_KEY* key; /* Load SSL library dynamically */ if ((lib = dlopen(SSL_LIB, RTLD_LAZY)) == NULL) { @@ -1539,11 +1538,15 @@ set_ssl(struct shttpd_ctx *ctx, const char *pem) else retval = TRUE; - /* This enables ECDH Perfect Forward secrecy. Currently with just the most generic p256 prime curve */ - key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if (key != NULL) { - SSL_CTX_set_tmp_ecdh(CTX, key); - EC_KEY_free(key); + /* Add fall back certificate/key pair */ + if (wsmand_options_get_ssl_cert_fallback_file() && + wsmand_options_get_ssl_key_fallback_file()) { + if (SSL_CTX_use_certificate_file(CTX, wsmand_options_get_ssl_cert_fallback_file(), SSL_FILETYPE_PEM) != 1) + _shttpd_elog(E_LOG, NULL, "cannot open certificate fallback file %s", pem); + else if (SSL_CTX_use_PrivateKey_file(CTX, wsmand_options_get_ssl_key_fallback_file(), SSL_FILETYPE_PEM) != 1) + _shttpd_elog(E_LOG, NULL, "cannot open fallback PrivateKey %s", pem); + else + retval = TRUE; } while (ssl_disabled_protocols) { diff --git a/src/server/wsmand-daemon.c b/src/server/wsmand-daemon.c index fca48fec9..206c11aa0 100644 --- a/src/server/wsmand-daemon.c +++ b/src/server/wsmand-daemon.c @@ -76,8 +76,10 @@ static int use_ipv6 = 0; #endif static int use_digest = 0; static char *ssl_key_file = NULL; +static char *ssl_key_fallback_file = NULL; static char *service_path = DEFAULT_SERVICE_PATH; static char *ssl_cert_file = NULL; +static char *ssl_cert_fallback_file = NULL; static char *ssl_disabled_protocols = NULL; static char *ssl_cipher_list = NULL; static char *pid_file = DEFAULT_PID_PATH; @@ -186,7 +188,9 @@ int wsmand_read_config(dictionary * ini) service_path = iniparser_getstring(ini, "server:service_path", "/wsman"); ssl_key_file = iniparser_getstr(ini, "server:ssl_key_file"); + ssl_key_fallback_file = iniparser_getstr(ini, "server:ssl_key_fallback_file"); ssl_cert_file = iniparser_getstr(ini, "server:ssl_cert_file"); + ssl_cert_fallback_file = iniparser_getstr(ini, "server:ssl_cert_fallback_file"); ssl_disabled_protocols = iniparser_getstr(ini, "server:ssl_disabled_protocols"); ssl_cipher_list = iniparser_getstr(ini, "server:ssl_cipher_list"); use_ipv4 = iniparser_getboolean(ini, "server:ipv4", 1); @@ -364,6 +368,16 @@ char *wsmand_options_get_ssl_cert_file(void) return ssl_cert_file; } +char *wsmand_options_get_ssl_key_fallback_file(void) +{ + return ssl_key_fallback_file; +} + +char *wsmand_options_get_ssl_cert_fallback_file(void) +{ + return ssl_cert_fallback_file; +} + char *wsmand_options_get_ssl_disabled_protocols(void) { return ssl_disabled_protocols; diff --git a/src/server/wsmand-daemon.h b/src/server/wsmand-daemon.h index b2b0b55ae..5a1c807ba 100644 --- a/src/server/wsmand-daemon.h +++ b/src/server/wsmand-daemon.h @@ -76,6 +76,8 @@ int wsmand_options_get_server_port(void); int wsmand_options_get_server_ssl_port(void); char *wsmand_options_get_ssl_key_file(void); char *wsmand_options_get_ssl_cert_file(void); +char *wsmand_options_get_ssl_key_fallback_file(void); +char *wsmand_options_get_ssl_cert_fallback_file(void); char *wsmand_options_get_ssl_disabled_protocols(void); char *wsmand_options_get_ssl_cipher_list(void); int wsmand_options_get_digest(void); From 0d5b1496412c6835de15ba5de16fda9653750625 Mon Sep 17 00:00:00 2001 From: Vitezslav Crhonek Date: Wed, 9 Jul 2025 08:56:39 +0200 Subject: [PATCH 2/2] Fix SSL fallback error reporting - Use _shttpd_report_ssl_error instead of _shttpd_elog - Fix bug where 'pem' parameter was used instead of actual file paths Signed-off-by: Vitezslav Crhonek --- src/server/shttpd/shttpd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/server/shttpd/shttpd.c b/src/server/shttpd/shttpd.c index 0f0e01a37..31821da69 100644 --- a/src/server/shttpd/shttpd.c +++ b/src/server/shttpd/shttpd.c @@ -1542,9 +1542,9 @@ set_ssl(struct shttpd_ctx *ctx, const char *pem) if (wsmand_options_get_ssl_cert_fallback_file() && wsmand_options_get_ssl_key_fallback_file()) { if (SSL_CTX_use_certificate_file(CTX, wsmand_options_get_ssl_cert_fallback_file(), SSL_FILETYPE_PEM) != 1) - _shttpd_elog(E_LOG, NULL, "cannot open certificate fallback file %s", pem); + _shttpd_report_ssl_error("cannot open certificate fallback file", wsmand_options_get_ssl_cert_fallback_file()); else if (SSL_CTX_use_PrivateKey_file(CTX, wsmand_options_get_ssl_key_fallback_file(), SSL_FILETYPE_PEM) != 1) - _shttpd_elog(E_LOG, NULL, "cannot open fallback PrivateKey %s", pem); + _shttpd_report_ssl_error("cannot open fallback PrivateKey", wsmand_options_get_ssl_key_fallback_file()); else retval = TRUE; }