* Ensure that we set the default DH parameters for the key

author Ruediger Pluem <rpluem@apache.org>

Mon, 8 Apr 2024 13:18:28 +0000 (13:18 +0000)

committer Ruediger Pluem <rpluem@apache.org>

Mon, 8 Apr 2024 13:18:28 +0000 (13:18 +0000)
author Ruediger Pluem <rpluem@apache.org>
Mon, 8 Apr 2024 13:18:28 +0000 (13:18 +0000)
committer Ruediger Pluem <rpluem@apache.org>
Mon, 8 Apr 2024 13:18:28 +0000 (13:18 +0000)
diff --git a/changes-entries/pr68863.txt b/changes-entries/pr68863.txt

new file mode 100644 (file)

index 0000000..d45ffc7
--- /dev/null
+++ b/changes-entries/pr68863.txt
@@ -0,0 +1,3 @@
+  *) mod_ssl: Fix a regression that causes the default DH parameters for a key
+     no longer set and thus effectively disabling DH ciphers when no explicit
+     DH parameters are set. PR 68863 [Ruediger Pluem]
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c

index 64e4aaf1dcdda54fe0d770c294d3ddc495c1b9c5..f657026d137e00870582fabf06b466bd9c2bff77 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
      const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
      int i;
      EVP_PKEY *pkey;
+    int custom_dh_done = 0;
  #ifdef HAVE_ECC
      EC_GROUP *ecgroup = NULL;
      int curve_nid = 0;
@@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
       */
      certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
      if (certfile && !modssl_is_engine_id(certfile)) {
-        int done = 0, num_bits = 0;
+        int num_bits = 0;
  #if OPENSSL_VERSION_NUMBER < 0x30000000L
          DH *dh = modssl_dh_from_file(certfile);
          if (dh) {
              num_bits = DH_bits(dh);
              SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
              DH_free(dh);
-            done = 1;
+            custom_dh_done = 1;
          }
  #else
          pkey = modssl_dh_pkey_from_file(certfile);
@@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
                  EVP_PKEY_free(pkey);
              }
              else {
-                done = 1;
+                custom_dh_done = 1;
              }
          }
  #endif
-        if (done) {
+        if (custom_dh_done) {
              ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
                           "Custom DH parameters (%d bits) for %s loaded from %s",
                           num_bits, vhost_id, certfile);
          }
      }
  #if !MODSSL_USE_OPENSSL_PRE_1_1_API
-    else {
+    if (!custom_dh_done) {
          /* If no parameter is manually configured, enable auto
           * selection. */
          SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
author	Ruediger Pluem <rpluem@apache.org>
	Mon, 8 Apr 2024 13:18:28 +0000 (13:18 +0000)
committer	Ruediger Pluem <rpluem@apache.org>
	Mon, 8 Apr 2024 13:18:28 +0000 (13:18 +0000)
changes-entries/pr68863.txt	[new file with mode: 0644]	patch \| blob
modules/ssl/ssl_engine_init.c		patch \| blob \| blame \| history