Merge r1916863 from trunk:

* Ensure that we set the default DH parameters for the key

Replace else with an if as the if branch no longer ensures that
custome DH parameters have been loaded.
This fixes a regression that causes the default DH parameters for a key
no longer set and thus effectively disabling DH ciphers when no explicit
DH parameters are set.

PR: 68863
Submitted by: rpluem
Reviewed by: rpluem, jorton, ylavic

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918385 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/changes-entries/pr68863.txt b/changes-entries/pr68863.txt
new file mode 100644 (file)
index 0000000..d45ffc7
--- /dev/null
+++ b/changes-entries/pr68863.txt
@@ -0,0 +1,3 @@
+  *) mod_ssl: Fix a regression that causes the default DH parameters for a key
+     no longer set and thus effectively disabling DH ciphers when no explicit
+     DH parameters are set. PR 68863 [Ruediger Pluem]

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index c2ec048f5276334b83ce102f77c3cad04ae12b20..12c767cac0f21c6ec28f6b111e194b9ae9e5ed85 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1346,6 +1346,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
     const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
     int i;
     EVP_PKEY *pkey;
+    int custom_dh_done = 0;
 #ifdef HAVE_ECC
     EC_GROUP *ecgroup = NULL;
     int curve_nid = 0;
@@ -1518,14 +1519,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
      */
     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
     if (certfile && !modssl_is_engine_id(certfile)) {
-        int done = 0, num_bits = 0;
+        int num_bits = 0;
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
         DH *dh = modssl_dh_from_file(certfile);
         if (dh) {
             num_bits = DH_bits(dh);
             SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
             DH_free(dh);
-            done = 1;
+            custom_dh_done = 1;
         }
 #else
         pkey = modssl_dh_pkey_from_file(certfile);
@@ -1535,18 +1536,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
                 EVP_PKEY_free(pkey);
             }
             else {
-                done = 1;
+                custom_dh_done = 1;
             }
         }
 #endif
-        if (done) {
+        if (custom_dh_done) {
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
                          "Custom DH parameters (%d bits) for %s loaded from %s",
                          num_bits, vhost_id, certfile);
         }
     }
 #if !MODSSL_USE_OPENSSL_PRE_1_1_API
-    else {
+    if (!custom_dh_done) {
         /* If no parameter is manually configured, enable auto
          * selection. */
         SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);