MINOR: ssl: Set default dh size to 2048

Starting from OpenSSLv3, we won't rely on the SSL_CTX_set_tmp_dh_callback mechanism so we will need to know the DH size we want to use during init. In order for the default DH param size to be used when no RSA or DSA private key can be found for a given bind line, we will need to know the default size we want to use (which was not possible the way the code was built, since the global default dh size was set too late.
2025-02-22 21:56:55 +00:00 · 2022-02-11 12:04:54 +01:00 · 2022-02-11 12:04:54 +01:00 · 55d7e782ee
commit 55d7e782ee
parent bed72631f9
2 changed files with 1 additions and 12 deletions
--- a/include/haproxy/defaults.h
+++ b/include/haproxy/defaults.h
@ -354,7 +354,7 @@

 /* ssl max dh param size */
 #ifndef SSL_DEFAULT_DH_PARAM
-#define SSL_DEFAULT_DH_PARAM 0
+#define SSL_DEFAULT_DH_PARAM 2048
 #endif

 /* max memory cost per SSL session */
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -4772,17 +4772,6 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con
 #endif

 #ifndef OPENSSL_NO_DH
-	/* If tune.ssl.default-dh-param has not been set,
-	   neither has ssl-default-dh-file and no static DH
-	   params were in the certificate file. */
-	if (global_ssl.default_dh_param == 0 &&
-	    global_dh == NULL &&
-	    (ssl_dh_ptr_index == -1 ||
-	     SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) {
-		/* default to dh-param 2048 */
-		global_ssl.default_dh_param = 2048;
-	}
-
 	if (global_ssl.default_dh_param >= 1024) {
 		if (local_dh_1024 == NULL) {
 			local_dh_1024 = ssl_get_dh_1024();