BUG/MEDIUM: fix DH length when EC key is used

dh of length 1024 were chosen for EVP_PKEY_EC key type.
let us pick "default_dh_param" instead.

issue was found on Ubuntu 22.04 which is shipped with OpenSSL configured
with SECLEVEL=2 by default. such SECLEVEL value prohibits DH shorter than
2048:

OpenSSL error[0xa00018a] SSL_CTX_set0_tmp_dh_pkey: dh key too small

better strategy for chosing DH still may be considered though.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1d39826e6925e09fe2a7eec8db988d2bd44f3370..02b369a7902121a783370740e1b3fc64e3449b2a 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3211,6 +3211,10 @@ static HASSL_DH *ssl_get_tmp_dh(EVP_PKEY *pkey)
 
        type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
 
+       if (type == EVP_PKEY_EC) {
+               keylen = global_ssl.default_dh_param;
+       }
+
        /* The keylen supplied by OpenSSL can only be 512 or 1024.
           See ssl3_send_server_key_exchange() in ssl/s3_srvr.c
         */