From 6d27a92b83f75bab42bda08ed28b70fb95525fd9 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 5 Nov 2020 19:38:05 +0100 Subject: [PATCH] BUG/MINOR: ssl: don't report 1024 bits DH param load error when it's higher The default dh_param value is 2048 and it's preset to zero unless explicitly set, so we must not report a warning about DH param not being loadble in 1024 bits when we're going to use 2048. Thanks to Dinko for reporting this. This should be backported to 2.2. --- src/ssl_sock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 6f73a3175..6f28c4f4e 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2993,7 +2993,7 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain /* Clear openssl global errors stack */ ERR_clear_error(); - if (global_ssl.default_dh_param <= 1024) { + if (global_ssl.default_dh_param && global_ssl.default_dh_param <= 1024) { /* we are limited to DH parameter of 1024 bits anyway */ if (local_dh_1024 == NULL) local_dh_1024 = ssl_get_dh_1024();