diff --git a/lib/ssl/src/ssl_config.erl b/lib/ssl/src/ssl_config.erl index 761a4f431561..2b8002d71592 100644 --- a/lib/ssl/src/ssl_config.erl +++ b/lib/ssl/src/ssl_config.erl @@ -331,7 +331,7 @@ init_diffie_hellman(DbHandle, Opts, server) -> Bin when is_binary(Bin) -> public_key:der_decode('DHParameter', Bin); _ -> - case maps:get(dh, Opts, undefined) of + case maps:get(dhfile, Opts, undefined) of undefined -> ?DEFAULT_DIFFIE_HELLMAN_PARAMS; DHParamFile -> diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl index aa93a021a02e..9090f29baaa6 100644 --- a/lib/ssl/test/ssl_api_SUITE.erl +++ b/lib/ssl/test/ssl_api_SUITE.erl @@ -72,6 +72,8 @@ active_n/1, dh_params/0, dh_params/1, + invalid_dhfile/0, + invalid_dhfile/1, prf/0, prf/1, hibernate_client/0, @@ -278,6 +280,7 @@ simple_api_tests() -> invalid_keyfile, invalid_certfile, invalid_cacertfile, + invalid_dhfile, invalid_options, options_not_proplist, options_whitebox, @@ -799,6 +802,49 @@ dh_params(Config) when is_list(Config) -> ssl_test_lib:close(Server), ssl_test_lib:close(Client). + +%%-------------------------------------------------------------------- +invalid_dhfile() -> + [{doc,"Test to check invalid DH-params file in server."}]. +invalid_dhfile(Config) when is_list(Config) -> + ClientOpts = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), + ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), + DataDir = proplists:get_value(data_dir, Config), + DHParamFile = filename:join(DataDir, "dHParam-invalid.pem"), + + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + + Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {ssl_test_lib, + send_recv_result_active, + []}}, + {options, [{dhfile, DHParamFile} + | ServerOpts]}]), + Port = ssl_test_lib:inet_port(Server), + Client = ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port}, + {host, Hostname}, {from, self()}, + {mfa, {ssl_test_lib, + send_recv_result_active, + []}}, + {options, [{ciphers, + [{dhe_rsa, + aes_256_cbc, sha}]} + | ClientOpts]}]), + + %% assert server error + [{Server, {error, {options, {dhfile, DHParamFile, + {error, {asn1, + {{invalid_value, 0}, _Stack}}}}}}}] = + ssl_test_lib:get_result([Server]), + + %% assert client error + ssl_test_lib:check_result(Client, {error, closed}), + + ssl_test_lib:close(Server), + ssl_test_lib:close(Client). + + %%-------------------------------------------------------------------- conf_signature_algs() -> [{doc,"Test to set the signature_algs option on both client and server"}]. diff --git a/lib/ssl/test/ssl_api_SUITE_data/dHParam-invalid.pem b/lib/ssl/test/ssl_api_SUITE_data/dHParam-invalid.pem new file mode 100644 index 000000000000..17d88ffc4ad9 --- /dev/null +++ b/lib/ssl/test/ssl_api_SUITE_data/dHParam-invalid.pem @@ -0,0 +1,2 @@ +-----BEGIN DH PARAMETERS----- +-----END DH PARAMETERS-----