From: Remi Tricot-Le Breton Date: Fri, 11 Feb 2022 11:04:54 +0000 (+0100) Subject: MINOR: ssl: Set default dh size to 2048 X-Git-Tag: v2.6-dev2~172 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=55d7e782eec37e5e90f0dd36f957ef9a0fc74b96;p=thirdparty%2Fhaproxy.git MINOR: ssl: Set default dh size to 2048 Starting from OpenSSLv3, we won't rely on the SSL_CTX_set_tmp_dh_callback mechanism so we will need to know the DH size we want to use during init. In order for the default DH param size to be used when no RSA or DSA private key can be found for a given bind line, we will need to know the default size we want to use (which was not possible the way the code was built, since the global default dh size was set too late. --- diff --git a/include/haproxy/defaults.h b/include/haproxy/defaults.h index 7e9e9a3d3e..9b521dff1f 100644 --- a/include/haproxy/defaults.h +++ b/include/haproxy/defaults.h @@ -354,7 +354,7 @@ /* ssl max dh param size */ #ifndef SSL_DEFAULT_DH_PARAM -#define SSL_DEFAULT_DH_PARAM 0 +#define SSL_DEFAULT_DH_PARAM 2048 #endif /* max memory cost per SSL session */ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 27d3d527d2..d48ec1aedf 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4772,17 +4772,6 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con #endif #ifndef OPENSSL_NO_DH - /* If tune.ssl.default-dh-param has not been set, - neither has ssl-default-dh-file and no static DH - params were in the certificate file. */ - if (global_ssl.default_dh_param == 0 && - global_dh == NULL && - (ssl_dh_ptr_index == -1 || - SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) { - /* default to dh-param 2048 */ - global_ssl.default_dh_param = 2048; - } - if (global_ssl.default_dh_param >= 1024) { if (local_dh_1024 == NULL) { local_dh_1024 = ssl_get_dh_1024();