BUG/MEDIUM: fix DH length when EC key is used

dh of length 1024 were chosen for EVP_PKEY_EC key type.
let us pick "default_dh_param" instead.

issue was found on Ubuntu 22.04 which is shipped with OpenSSL configured
with SECLEVEL=2 by default. such SECLEVEL value prohibits DH shorter than
2048:

OpenSSL error[0xa00018a] SSL_CTX_set0_tmp_dh_pkey: dh key too small

better strategy for chosing DH still may be considered though.
This commit is contained in:
Ilya Shipitsin 2022-07-23 23:55:19 +05:00 committed by Willy Tarreau
parent 3b64a28e15
commit 52f2ff5b93

View File

@ -3211,6 +3211,10 @@ static HASSL_DH *ssl_get_tmp_dh(EVP_PKEY *pkey)
type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
if (type == EVP_PKEY_EC) {
keylen = global_ssl.default_dh_param;
}
/* The keylen supplied by OpenSSL can only be 512 or 1024.
See ssl3_send_server_key_exchange() in ssl/s3_srvr.c
*/