RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-23 13:17:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: fix DH length when EC key is used

Browse Source 
dh of length 1024 were chosen for EVP_PKEY_EC key type.
let us pick "default_dh_param" instead.

issue was found on Ubuntu 22.04 which is shipped with OpenSSL configured
with SECLEVEL=2 by default. such SECLEVEL value prohibits DH shorter than
2048:

OpenSSL error[0xa00018a] SSL_CTX_set0_tmp_dh_pkey: dh key too small

better strategy for chosing DH still may be considered though.
This commit is contained in:
Ilya Shipitsin 2022-07-23 23:55:19 +05:00 committed by Willy Tarreau
parent 3b64a28e15
commit 52f2ff5b93
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/ssl_sock.c
View File

@ -3211,6 +3211,10 @@ static HASSL_DH *ssl_get_tmp_dh(EVP_PKEY *pkey)
type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE; type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
if (type == EVP_PKEY_EC) {
keylen = global_ssl.default_dh_param;
}
/* The keylen supplied by OpenSSL can only be 512 or 1024. /* The keylen supplied by OpenSSL can only be 512 or 1024.
See ssl3_send_server_key_exchange() in ssl/s3_srvr.c See ssl3_send_server_key_exchange() in ssl/s3_srvr.c
*/ */