From: Willy Tarreau Date: Thu, 5 Nov 2020 18:38:05 +0000 (+0100) Subject: BUG/MINOR: ssl: don't report 1024 bits DH param load error when it's higher X-Git-Tag: v2.4-dev1~78 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d27a92b83f75bab42bda08ed28b70fb95525fd9;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl: don't report 1024 bits DH param load error when it's higher The default dh_param value is 2048 and it's preset to zero unless explicitly set, so we must not report a warning about DH param not being loadble in 1024 bits when we're going to use 2048. Thanks to Dinko for reporting this. This should be backported to 2.2. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 6f73a31754..6f28c4f4e7 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2993,7 +2993,7 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain /* Clear openssl global errors stack */ ERR_clear_error(); - if (global_ssl.default_dh_param <= 1024) { + if (global_ssl.default_dh_param && global_ssl.default_dh_param <= 1024) { /* we are limited to DH parameter of 1024 bits anyway */ if (local_dh_1024 == NULL) local_dh_1024 = ssl_get_dh_1024();