MINOR: ssl: Set default dh size to 2048

Starting from OpenSSLv3, we won't rely on the
SSL_CTX_set_tmp_dh_callback mechanism so we will need to know the DH
size we want to use during init. In order for the default DH param size
to be used when no RSA or DSA private key can be found for a given bind
line, we will need to know the default size we want to use (which was
not possible the way the code was built, since the global default dh
size was set too late.

diff --git a/include/haproxy/defaults.h b/include/haproxy/defaults.h
index 7e9e9a3d3eeb6fe37729c02109ad58373840cfed..9b521dff1fe7c7222ff07500bda37a35c6797086 100644 (file)
--- a/include/haproxy/defaults.h
+++ b/include/haproxy/defaults.h
@@ -354,7 +354,7 @@
 
 /* ssl max dh param size */
 #ifndef SSL_DEFAULT_DH_PARAM
-#define SSL_DEFAULT_DH_PARAM 0
+#define SSL_DEFAULT_DH_PARAM 2048
 #endif
 
 /* max memory cost per SSL session */

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 27d3d527d20ccb34b7dff16f0c87d80a9c1e15e5..d48ec1aedfdffecaa5ced57e95f9c4c052f2dfca 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4772,17 +4772,6 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
 #endif
 
 #ifndef OPENSSL_NO_DH
-       /* If tune.ssl.default-dh-param has not been set,
-          neither has ssl-default-dh-file and no static DH
-          params were in the certificate file. */
-       if (global_ssl.default_dh_param == 0 &&
-           global_dh == NULL &&
-           (ssl_dh_ptr_index == -1 ||
-            SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) {
-               /* default to dh-param 2048 */
-               global_ssl.default_dh_param = 2048;
-       }
-
        if (global_ssl.default_dh_param >= 1024) {
                if (local_dh_1024 == NULL) {
                        local_dh_1024 = ssl_get_dh_1024();