Hello community, here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2014-08-05 21:11:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haproxy (Old) and /work/SRC/openSUSE:Factory/.haproxy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy" Changes: -------- --- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2014-07-21 22:34:38.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2014-08-05 21:11:27.000000000 +0200 @@ -1,0 +2,39 @@ +Wed Jul 30 09:47:38 UTC 2014 - [email protected] + +- pull important fixes from git: + 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch + 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch + 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch + Especially the last patch is important: + As a consequence of various recent changes on the sample + conversion, a corner case has emerged where it is possible to + wait forever for a sample in track-sc*. + +------------------------------------------------------------------- +Mon Jul 28 11:33:14 UTC 2014 - [email protected] + +- update to 1.5.3 + - DOC: fix typo in Unix Socket commands + - BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header + - BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange + - DOC: mention that Squid correctly responds 400 to PPv2 header + - BUG/MINOR: http: base32+src should use the big endian version of base32 + - BUG/MEDIUM: connection: fix proxy v2 header again! +- Removed backported patches: + - 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch + - 0002-DOC-fix-typo-in-Unix-Socket-commands.patch + - 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch + - 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch + - 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch + - 0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch + +------------------------------------------------------------------- +Mon Jul 21 13:45:40 UTC 2014 - [email protected] + +- added 0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch: + Last commit 77d1f01 ("BUG/MEDIUM: connection: fix memory + corruption when building a proxy v2 header") was wrong, using + &cn_trash instead of cn_trash resulting in a warning and the + client's SSL cert CN not being stored at the proper location. + +------------------------------------------------------------------- Old: ---- 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch 0002-DOC-fix-typo-in-Unix-Socket-commands.patch 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch haproxy-1.5.2.tar.gz New: ---- 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch haproxy-1.5.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ --- /var/tmp/diff_new_pack.GUnyrA/_old 2014-08-05 21:11:28.000000000 +0200 +++ /var/tmp/diff_new_pack.GUnyrA/_new 2014-08-05 21:11:28.000000000 +0200 @@ -33,7 +33,7 @@ %bcond_without apparmor Name: haproxy -Version: 1.5.2 +Version: 1.5.3 Release: 0 # # @@ -61,11 +61,9 @@ Patch2: haproxy-makefile_lib.patch Patch3: sec-options.patch Patch4: haproxy-1.5_check_config_before_start.patch -Patch5: 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch -Patch6: 0002-DOC-fix-typo-in-Unix-Socket-commands.patch -Patch7: 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch -Patch8: 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch -Patch9: 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch +Patch5: 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch +Patch6: 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch +Patch7: 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch Source99: haproxy-rpmlintrc # Summary: The Reliable, High Performance TCP/HTTP Load Balancer @@ -102,8 +100,6 @@ %patch5 -p1 %patch6 -p1 %patch7 -p1 -%patch8 -p1 -%patch9 -p1 %build %{__make} \ ++++++ 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch ++++++ >From ad65af7dab9b8d8033fd09d8031cc774a6fbf768 Mon Sep 17 00:00:00 2001 From: Godbach <[email protected]> Date: Mon, 28 Jul 2014 17:31:57 +0800 Subject: [PATCH 1/3] BUG/MINOR: server: move the directive #endif to the end of file If a source file includes proto/server.h twice or more, redefinition errors will be triggered for such inline functions as server_throttle_rate(), server_is_draining(), srv_adm_set_maint() and so on. Just move #endif directive to the end of file to solve this issue. Signed-off-by: Godbach <[email protected]> (cherry picked from commit e468d55998e134dac1b18d5d9d075ffd5691c827) --- include/proto/server.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/proto/server.h b/include/proto/server.h index 9893266..71c8b13 100644 --- a/include/proto/server.h +++ b/include/proto/server.h @@ -54,8 +54,6 @@ static void inline srv_set_sess_last(struct server *s) s->counters.last_sess = now.tv_sec; } -#endif /* _PROTO_SERVER_H */ - /* * Registers the server keyword list <kwl> as a list of valid keywords for next * parsing sessions. @@ -200,6 +198,8 @@ static inline void srv_adm_set_ready(struct server *s) srv_clr_admin_flag(s, SRV_ADMF_FMAINT); } +#endif /* _PROTO_SERVER_H */ + /* * Local variables: * c-indent-level: 8 -- 1.8.4.5 ++++++ 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch ++++++ >From 715e9b892f564e58489f86c125aed2a8994f16e9 Mon Sep 17 00:00:00 2001 From: Conrad Hoffmann <[email protected]> Date: Mon, 28 Jul 2014 23:22:43 +0200 Subject: [PATCH 2/3] BUG/MINOR: Fix search for -p argument in systemd wrapper. Searching for the pid file in the list of arguments did not take flags without parameters into account, like e.g. -de. Because of this, the wrapper would use a different pid file than haproxy if such an argument was specified before -p. The new version can still yield a false positive for some crazy situations, like your config file name starting with "-p", but I think this is as good as it gets without using getopt or some library. Signed-off-by: Conrad Hoffmann <[email protected]> (cherry picked from commit eb2cf45b72a7e14c581276247381dc1ac76be2c0) --- src/haproxy-systemd-wrapper.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c index ba07ebe..529b213 100644 --- a/src/haproxy-systemd-wrapper.c +++ b/src/haproxy-systemd-wrapper.c @@ -130,11 +130,8 @@ static void sigint_handler(int signum __attribute__((unused))) static void init(int argc, char **argv) { while (argc > 1) { - if (**argv == '-') { - char *flag = *argv + 1; - --argc; ++argv; - if (*flag == 'p') - pid_file = *argv; + if ((*argv)[0] == '-' && (*argv)[1] == 'p') { + pid_file = *(argv + 1); } --argc; ++argv; } -- 1.8.4.5 ++++++ 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch ++++++ >From f94735eb76e634d7531f9c903113f64820c4cec0 Mon Sep 17 00:00:00 2001 From: Willy Tarreau <[email protected]> Date: Wed, 30 Jul 2014 08:56:35 +0200 Subject: [PATCH 3/3] BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc* As a consequence of various recent changes on the sample conversion, a corner case has emerged where it is possible to wait forever for a sample in track-sc*. The issue is caused by the fact that functions relying on sample_process() don't all exactly work the same regarding the SMP_F_MAY_CHANGE flag and the output result. Here it was possible to wait forever for an output sample from stktable_fetch_key() without checking the SMP_OPT_FINAL flag. As a result, if the client connects and closes without sending the data and haproxy expects a sample which is capable of coming, it will ignore this impossible case and will continue to wait. This change adds control for SMP_OPT_FINAL before waiting for extra data. The various relevant functions have been better documented regarding their output values. This fix must be backported to 1.5 since it appeared there. (cherry picked from commit 6bcb0a84e7256f00793fa8ec8a0d6c19c3b22935) --- src/proto_tcp.c | 4 ++-- src/sample.c | 23 ++++++++++++++++++++++- src/stick_table.c | 11 ++++++++++- 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 9778856..72dc92b 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -1048,8 +1048,8 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit) t = rule->act_prm.trk_ctr.table.t; key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ | partial, rule->act_prm.trk_ctr.expr, &smp); - if (smp.flags & SMP_F_MAY_CHANGE) - goto missing_data; + if ((smp.flags & SMP_F_MAY_CHANGE) && !(partial & SMP_OPT_FINAL)) + goto missing_data; /* key might appear later */ if (key && (ts = stktable_get_entry(t, key))) { session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts); diff --git a/src/sample.c b/src/sample.c index 3a0f3fb..8e62640 100644 --- a/src/sample.c +++ b/src/sample.c @@ -896,6 +896,18 @@ out_error: * Note: the fetch functions are required to properly set the return type. The * conversion functions must do so too. However the cast functions do not need * to since they're made to cast mutiple types according to what is required. + * + * The caller may indicate in <opt> if it considers the result final or not. + * The caller needs to check the SMP_F_MAY_CHANGE flag in p->flags to verify + * if the result is stable or not, according to the following table : + * + * return MAY_CHANGE FINAL Meaning for the sample + * NULL 0 * Not present and will never be (eg: header) + * NULL 1 0 Not present yet, could change (eg: POST param) + * NULL 1 1 Not present yet, will not change anymore + * smp 0 * Present and will not change (eg: header) + * smp 1 0 Present, may change (eg: request length) + * smp 1 1 Present, last known value (eg: request length) */ struct sample *sample_process(struct proxy *px, struct session *l4, void *l7, unsigned int opt, @@ -1153,7 +1165,16 @@ int smp_resolve_args(struct proxy *p) * and <opt> does not contain SMP_OPT_FINAL, then the sample is returned as-is * with its SMP_F_MAY_CHANGE flag so that the caller can check it and decide to * take actions (eg: wait longer). If a sample could not be found or could not - * be converted, NULL is returned. + * be converted, NULL is returned. The caller MUST NOT use the sample if the + * SMP_F_MAY_CHANGE flag is present, as it is used only as a hint that there is + * still hope to get it after waiting longer, and is not converted to string. + * The possible output combinations are the following : + * + * return MAY_CHANGE FINAL Meaning for the sample + * NULL * * Not present and will never be (eg: header) + * smp 0 * Final value converted (eg: header) + * smp 1 0 Not present yet, may appear later (eg: header) + * smp 1 1 never happens (either flag is cleared on output) */ struct sample *sample_fetch_string(struct proxy *px, struct session *l4, void *l7, unsigned int opt, struct sample_expr *expr) diff --git a/src/stick_table.c b/src/stick_table.c index a708d3c..d39b4ff 100644 --- a/src/stick_table.c +++ b/src/stick_table.c @@ -603,7 +603,16 @@ static sample_to_key_fct sample_to_key[SMP_TYPES][STKTABLE_TYPES] = { * no key could be extracted, or a pointer to the converted result stored in * static_table_key in format <table_type>. If <smp> is not NULL, it will be reset * and its flags will be initialized so that the caller gets a copy of the input - * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present). + * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present + * without SMP_OPT_FINAL). The output will be usable like this : + * + * return MAY_CHANGE FINAL Meaning for the sample + * NULL 0 * Not present and will never be (eg: header) + * NULL 1 0 Not present or unstable, could change (eg: req_len) + * NULL 1 1 Not present, will not change anymore + * smp 0 * Present and will not change (eg: header) + * smp 1 0 not possible + * smp 1 1 Present, last known value (eg: request length) */ struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px, struct session *l4, void *l7, unsigned int opt, struct sample_expr *expr, struct sample *smp) -- 1.8.4.5 ++++++ haproxy-1.5.2.tar.gz -> haproxy-1.5.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/CHANGELOG new/haproxy-1.5.3/CHANGELOG --- old/haproxy-1.5.2/CHANGELOG 2014-07-12 16:40:52.000000000 +0200 +++ new/haproxy-1.5.3/CHANGELOG 2014-07-25 08:56:07.000000000 +0200 @@ -1,6 +1,14 @@ ChangeLog : =========== +2014/07/25 : 1.5.3 + - DOC: fix typo in Unix Socket commands + - BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header + - BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange + - DOC: mention that Squid correctly responds 400 to PPv2 header + - BUG/MINOR: http: base32+src should use the big endian version of base32 + - BUG/MEDIUM: connection: fix proxy v2 header again! + 2014/07/12 : 1.5.2 - BUG/MEDIUM: backend: Update hash to use unsigned int throughout - BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/README new/haproxy-1.5.3/README --- old/haproxy-1.5.2/README 2014-07-12 16:40:52.000000000 +0200 +++ new/haproxy-1.5.3/README 2014-07-25 08:56:07.000000000 +0200 @@ -1,9 +1,9 @@ ---------------------- HAProxy how-to ---------------------- - version 1.5.2 + version 1.5.3 willy tarreau - 2014/07/12 + 2014/07/25 1) How to build it diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/VERDATE new/haproxy-1.5.3/VERDATE --- old/haproxy-1.5.2/VERDATE 2014-07-12 16:40:52.000000000 +0200 +++ new/haproxy-1.5.3/VERDATE 2014-07-25 08:56:07.000000000 +0200 @@ -1,2 +1,2 @@ $Format:%ci$ -2014/07/12 +2014/07/25 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/VERSION new/haproxy-1.5.3/VERSION --- old/haproxy-1.5.2/VERSION 2014-07-12 16:40:52.000000000 +0200 +++ new/haproxy-1.5.3/VERSION 2014-07-25 08:56:07.000000000 +0200 @@ -1 +1 @@ -1.5.2 +1.5.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/doc/configuration.txt new/haproxy-1.5.3/doc/configuration.txt --- old/haproxy-1.5.2/doc/configuration.txt 2014-07-12 16:40:52.000000000 +0200 +++ new/haproxy-1.5.3/doc/configuration.txt 2014-07-25 08:56:07.000000000 +0200 @@ -2,9 +2,9 @@ HAProxy Configuration Manual ---------------------- - version 1.5.2 + version 1.5.3 willy tarreau - 2014/07/12 + 2014/07/25 This document covers the configuration language as implemented in the version @@ -13869,7 +13869,7 @@ endless transfer is ongoing. Such terminated sessions are reported with a 'K' flag in the logs. -shutdown sessions <backend>/<server> +shutdown sessions server <backend>/<server> Immediately terminate all the sessions attached to the specified server. This can be used to terminate long-running sessions after a server is put into maintenance mode, for instance. Such terminated sessions are reported with a diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/doc/proxy-protocol.txt new/haproxy-1.5.3/doc/proxy-protocol.txt --- old/haproxy-1.5.2/doc/proxy-protocol.txt 2014-07-12 16:40:52.000000000 +0200 +++ new/haproxy-1.5.3/doc/proxy-protocol.txt 2014-07-25 08:56:07.000000000 +0200 @@ -1,4 +1,4 @@ -2014/06/14 Willy Tarreau +2014/07/25 Willy Tarreau HAProxy Technologies The PROXY protocol Versions 1 & 2 @@ -21,6 +21,7 @@ 2014/05/18 - modify and extend PROXY protocol version 2 2014/06/11 - fix example code to consider ver+cmd merge 2014/06/14 - fix v2 header check in example code, and update Forwarded spec + 2014/07/12 - update list of implementations (add Squid) 1. Background @@ -692,6 +693,7 @@ - thttpd 2.20c : 400 Bad Request + abort => pass/optimal - mini-httpd-1.19 : 400 Bad Request + abort => pass/optimal - haproxy 1.4.21 : 400 Bad Request + abort => pass/optimal + - Squid 3 : 400 Bad Request + abort => pass/optimal - SSL : - stud 0.3.47 : connection abort => pass/optimal - stunnel 4.45 : connection abort => pass/optimal diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/examples/haproxy.spec new/haproxy-1.5.3/examples/haproxy.spec --- old/haproxy-1.5.2/examples/haproxy.spec 2014-07-12 16:40:52.000000000 +0200 +++ new/haproxy-1.5.3/examples/haproxy.spec 2014-07-25 08:56:07.000000000 +0200 @@ -1,6 +1,6 @@ Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments Name: haproxy -Version: 1.5.2 +Version: 1.5.3 Release: 1 License: GPL Group: System Environment/Daemons @@ -76,6 +76,9 @@ %attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name} %changelog +* Fri Jul 25 2014 Willy Tarreau <[email protected]> +- updated to 1.5.3 + * Sat Jul 12 2014 Willy Tarreau <[email protected]> - updated to 1.5.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/src/connection.c new/haproxy-1.5.3/src/connection.c --- old/haproxy-1.5.2/src/connection.c 2014-07-12 16:40:52.000000000 +0200 +++ new/haproxy-1.5.3/src/connection.c 2014-07-25 08:56:07.000000000 +0200 @@ -622,6 +622,7 @@ char *value = NULL; struct tlv_ssl *tlv; int ssl_tlv_len = 0; + struct chunk *cn_trash; #endif if (buf_len < PP2_HEADER_LEN) @@ -682,8 +683,9 @@ tlv->verify = htonl(ssl_sock_get_verify_result(remote)); } if (srv->pp_opts & SRV_PP_V2_SSL_CN) { - if (ssl_sock_get_remote_common_name(remote, &trash) > 0) { - tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str); + cn_trash = get_trash_chunk(); + if (ssl_sock_get_remote_common_name(remote, cn_trash) > 0) { + tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str); ssl_tlv_len += tlv_len; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/src/proto_http.c new/haproxy-1.5.3/src/proto_http.c --- old/haproxy-1.5.2/src/proto_http.c 2014-07-12 16:40:52.000000000 +0200 +++ new/haproxy-1.5.3/src/proto_http.c 2014-07-25 08:56:07.000000000 +0200 @@ -10358,8 +10358,8 @@ return 0; temp = get_trash_chunk(); - memcpy(temp->str + temp->len, &smp->data.uint, sizeof(smp->data.uint)); - temp->len += sizeof(smp->data.uint); + *(unsigned int *)temp->str = htonl(smp->data.uint); + temp->len += sizeof(unsigned int); switch (cli_conn->addr.from.ss_family) { case AF_INET: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/src/ssl_sock.c new/haproxy-1.5.3/src/ssl_sock.c --- old/haproxy-1.5.2/src/ssl_sock.c 2014-07-12 16:40:52.000000000 +0200 +++ new/haproxy-1.5.3/src/ssl_sock.c 2014-07-25 08:56:07.000000000 +0200 @@ -105,6 +105,13 @@ int sslconns = 0; int totalsslconns = 0; +#ifndef OPENSSL_NO_DH +static DH *local_dh_1024 = NULL; +static DH *local_dh_2048 = NULL; +static DH *local_dh_4096 = NULL; +static DH *local_dh_8192 = NULL; +#endif /* OPENSSL_NO_DH */ + #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB struct certificate_ocsp { struct ebmb_node key; @@ -1034,16 +1041,16 @@ } if (keylen >= 8192) { - dh = ssl_get_dh_8192(); + dh = local_dh_8192; } else if (keylen >= 4096) { - dh = ssl_get_dh_4096(); + dh = local_dh_4096; } else if (keylen >= 2048) { - dh = ssl_get_dh_2048(); + dh = local_dh_2048; } else { - dh = ssl_get_dh_1024(); + dh = local_dh_1024; } return dh; @@ -1079,11 +1086,11 @@ if (global.tune.ssl_default_dh_param <= 1024) { /* we are limited to DH parameter of 1024 bits anyway */ - dh = ssl_get_dh_1024(); - if (dh == NULL) + local_dh_1024 = ssl_get_dh_1024(); + if (local_dh_1024 == NULL) goto end; - SSL_CTX_set_tmp_dh(ctx, dh); + SSL_CTX_set_tmp_dh(ctx, local_dh_1024); } else { SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh); @@ -1594,6 +1601,28 @@ global.tune.ssl_default_dh_param = 1024; } +#ifndef OPENSSL_NO_DH + if (global.tune.ssl_default_dh_param >= 1024) { + if (local_dh_1024 == NULL) { + local_dh_1024 = ssl_get_dh_1024(); + } + if (global.tune.ssl_default_dh_param >= 2048) { + if (local_dh_2048 == NULL) { + local_dh_2048 = ssl_get_dh_2048(); + } + if (global.tune.ssl_default_dh_param >= 4096) { + if (local_dh_4096 == NULL) { + local_dh_4096 = ssl_get_dh_4096(); + } + if (global.tune.ssl_default_dh_param >= 8192 && + local_dh_8192 == NULL) { + local_dh_8192 = ssl_get_dh_8192(); + } + } + } + } +#endif /* OPENSSL_NO_DH */ + SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk); #if OPENSSL_VERSION_NUMBER >= 0x00907000L SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
