mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-23 13:17:16 +00:00
BUG/MEDIUM: fix DH length when EC key is used
dh of length 1024 were chosen for EVP_PKEY_EC key type. let us pick "default_dh_param" instead. issue was found on Ubuntu 22.04 which is shipped with OpenSSL configured with SECLEVEL=2 by default. such SECLEVEL value prohibits DH shorter than 2048: OpenSSL error[0xa00018a] SSL_CTX_set0_tmp_dh_pkey: dh key too small better strategy for chosing DH still may be considered though.
This commit is contained in:
parent
3b64a28e15
commit
52f2ff5b93
@ -3211,6 +3211,10 @@ static HASSL_DH *ssl_get_tmp_dh(EVP_PKEY *pkey)
|
||||
|
||||
type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
|
||||
|
||||
if (type == EVP_PKEY_EC) {
|
||||
keylen = global_ssl.default_dh_param;
|
||||
}
|
||||
|
||||
/* The keylen supplied by OpenSSL can only be 512 or 1024.
|
||||
See ssl3_send_server_key_exchange() in ssl/s3_srvr.c
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user