From 55d7e782eec37e5e90f0dd36f957ef9a0fc74b96 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Fri, 11 Feb 2022 12:04:54 +0100 Subject: [PATCH] MINOR: ssl: Set default dh size to 2048 Starting from OpenSSLv3, we won't rely on the SSL_CTX_set_tmp_dh_callback mechanism so we will need to know the DH size we want to use during init. In order for the default DH param size to be used when no RSA or DSA private key can be found for a given bind line, we will need to know the default size we want to use (which was not possible the way the code was built, since the global default dh size was set too late. --- include/haproxy/defaults.h | 2 +- src/ssl_sock.c | 11 ----------- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/include/haproxy/defaults.h b/include/haproxy/defaults.h index 7e9e9a3d3..9b521dff1 100644 --- a/include/haproxy/defaults.h +++ b/include/haproxy/defaults.h @@ -354,7 +354,7 @@ /* ssl max dh param size */ #ifndef SSL_DEFAULT_DH_PARAM -#define SSL_DEFAULT_DH_PARAM 0 +#define SSL_DEFAULT_DH_PARAM 2048 #endif /* max memory cost per SSL session */ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 27d3d527d..d48ec1aed 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4772,17 +4772,6 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con #endif #ifndef OPENSSL_NO_DH - /* If tune.ssl.default-dh-param has not been set, - neither has ssl-default-dh-file and no static DH - params were in the certificate file. */ - if (global_ssl.default_dh_param == 0 && - global_dh == NULL && - (ssl_dh_ptr_index == -1 || - SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) { - /* default to dh-param 2048 */ - global_ssl.default_dh_param = 2048; - } - if (global_ssl.default_dh_param >= 1024) { if (local_dh_1024 == NULL) { local_dh_1024 = ssl_get_dh_1024();