]> git.ipfire.org Git - thirdparty/apache/httpd.git/commitdiff
projects / thirdparty / apache / httpd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b3822d3)
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): For OpenSSL
authorJoe Orton <jorton@apache.org>
Mon, 4 Oct 2021 10:26:18 +0000 (10:26 +0000)
committerJoe Orton <jorton@apache.org>
Mon, 4 Oct 2021 10:26:18 +0000 (10:26 +0000)
  1.1+, disable auto DH parameter selection if parameters have been
  manually configured.  This fixes a regression in r1890067 after
  which manually configured parameters are ignored.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893876 13f79535-47bb-0310-9956-ffa450edef68

modules/ssl/ssl_engine_init.c patch | blob | blame | history

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 85c2d1b9996c3ce60168251e5a20720a45ab1c2b..330b0eb4a5c2416fa9d5b33724ff29a6e2958225 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1589,7 +1589,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
     if (certfile && !modssl_is_engine_id(certfile)
         && (dh = ssl_dh_GetParamFromFile(certfile))) {
+        /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
+         * for OpenSSL 3.0+. */
         SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
+        /* OpenSSL ignores manually configured DH params if automatic
+         * selection if enabled, so disable auto selection here. */
+        SSL_CTX_set_dh_auto(mctx->ssl_ctx, 0);
+#endif
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
                      "Custom DH parameters (%d bits) for %s loaded from %s",
                      modssl_DH_bits(dh), vhost_id, certfile);
Mirror of https://github.com/apache/httpd.git