From: Emmanuel Hocdet <manu@gandi.net>
Date: Tue, 30 Jul 2019 15:04:01 +0000 (+0200)
Subject: MINOR: ssl: do not look at DHparam with OPENSSL_NO_DH
X-Git-Tag: v2.1-dev2~259
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=54227d8addaa1c0801b87e2c6ff70a4c73f486cc;p=thirdparty%2Fhaproxy.git

MINOR: ssl: do not look at DHparam with OPENSSL_NO_DH

OPENSSL_NO_DH can be defined to avoid obsolete and heavy DH processing.
With OPENSSL_NO_DH, parse the entire PEM file to look at DHparam is wast
of time.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 08ab3c304c..1cc4607f66 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2967,6 +2967,7 @@ static int ssl_sock_load_crt_file_into_ckch(const char *path, struct cert_key_an
 		goto end;
 	}
 
+#ifndef OPENSSL_NO_DH
 	/* Seek back to beginning of file */
 	if (BIO_reset(in) == -1) {
 		memprintf(err, "%san error occurred while reading the file '%s'.\n",
@@ -2976,6 +2977,7 @@ static int ssl_sock_load_crt_file_into_ckch(const char *path, struct cert_key_an
 
 	ckch->dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
 	/* no need to check for NULL there, dh is not mandatory */
+#endif
 
 	/* Seek back to beginning of file */
 	if (BIO_reset(in) == -1) {