Hi Hervé, On 05/21/2015 10:11 PM, Hervé Commowick wrote:
> I encounter a problem with dhparam configuration, if i have 2 bind lines, a > tune.ssl.default-dh-param 2048, and a custom group dhparam in one of the > pem file, ALL bind lines will use 1024, the one with the custom group will > work as expected, and the one without will use the default Oakley group 2 > instead of the 2048-bit MODP group 14 (thx Remi for the wording, i'm not > sure to well understand all of that :)) > > this is clearly a bug amha, thx anyone who can help (Remi ? :) ) Oh, this is a bug indeed, and it's my fault. In order to prevent the display of warning messages about default-dh-param not being set when a static DH group value is used, the value of default-dh-param is overridden when a static DH group value is found. It does work when you have only one bind, but it's clearly wrong when more than one is used, like in your configuration. Could you try with the attached patch? It's a patch against the 1.6 trunk but it does apply cleanly against 1.5.12. It will result in false positive messages about default-dh-param not being set when it's not needed, but to prevent that we will need to check if each bind has a static DH group value, which I'm not very fond of. -- Rémi
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9302869..5317a28 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1347,10 +1347,6 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
if (dh) {
ret = 1;
SSL_CTX_set_tmp_dh(ctx, dh);
- /* Setting ssl default dh param to the size of the static DH params
- found in the file. This way we know that there is no use
- complaining later about ssl-default-dh-param not being set. */
- global.tune.ssl_default_dh_param = DH_size(dh) * 8;
}
else {
/* Clear openssl global errors stack */
signature.asc
Description: OpenPGP digital signature
