diff options
| -rw-r--r-- | changes-entries/pr68863.txt | 3 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_init.c | 11 |
2 files changed, 9 insertions, 5 deletions
diff --git a/changes-entries/pr68863.txt b/changes-entries/pr68863.txt new file mode 100644 index 0000000000..d45ffc708c --- /dev/null +++ b/changes-entries/pr68863.txt @@ -0,0 +1,3 @@ + *) mod_ssl: Fix a regression that causes the default DH parameters for a key + no longer set and thus effectively disabling DH ciphers when no explicit + DH parameters are set. PR 68863 [Ruediger Pluem] diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 64e4aaf1dc..f657026d13 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; int i; EVP_PKEY *pkey; + int custom_dh_done = 0; #ifdef HAVE_ECC EC_GROUP *ecgroup = NULL; int curve_nid = 0; @@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s, */ certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); if (certfile && !modssl_is_engine_id(certfile)) { - int done = 0, num_bits = 0; + int num_bits = 0; #if OPENSSL_VERSION_NUMBER < 0x30000000L DH *dh = modssl_dh_from_file(certfile); if (dh) { num_bits = DH_bits(dh); SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); DH_free(dh); - done = 1; + custom_dh_done = 1; } #else pkey = modssl_dh_pkey_from_file(certfile); @@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s, EVP_PKEY_free(pkey); } else { - done = 1; + custom_dh_done = 1; } } #endif - if (done) { + if (custom_dh_done) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) "Custom DH parameters (%d bits) for %s loaded from %s", num_bits, vhost_id, certfile); } } #if !MODSSL_USE_OPENSSL_PRE_1_1_API - else { + if (!custom_dh_done) { /* If no parameter is manually configured, enable auto * selection. */ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1); |