Author: rpluem
Date: Mon Apr 8 13:18:28 2024
New Revision: 1916863
URL: http://svn.apache.org/viewvc?rev=1916863&view=rev
Log:
* Ensure that we set the default DH parameters for the key
Replace else with an if as the if branch no longer ensures that
custome DH parameters have been loaded.
This fixes a regression that causes the default DH parameters for a key
no longer set and thus effectively disabling DH ciphers when no explicit
DH parameters are set.
PR: 68863
Added:
httpd/httpd/trunk/changes-entries/pr68863.txt (with props)
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Added: httpd/httpd/trunk/changes-entries/pr68863.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/pr68863.txt?rev=1916863&view=auto
==============================================================================
--- httpd/httpd/trunk/changes-entries/pr68863.txt (added)
+++ httpd/httpd/trunk/changes-entries/pr68863.txt Mon Apr 8 13:18:28 2024
@@ -0,0 +1,3 @@
+ *) mod_ssl: Fix a regression that causes the default DH parameters for a key
+ no longer set and thus effectively disabling DH ciphers when no explicit
+ DH parameters are set. PR 68863 [Ruediger Pluem]
Propchange: httpd/httpd/trunk/changes-entries/pr68863.txt
------------------------------------------------------------------------------
svn:eol-style = native
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1916863&r1=1916862&r2=1916863&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Mon Apr 8 13:18:28 2024
@@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_cert
const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
int i;
EVP_PKEY *pkey;
+ int custom_dh_done = 0;
#ifdef HAVE_ECC
EC_GROUP *ecgroup = NULL;
int curve_nid = 0;
@@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_cert
*/
certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
if (certfile && !modssl_is_engine_id(certfile)) {
- int done = 0, num_bits = 0;
+ int num_bits = 0;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
DH *dh = modssl_dh_from_file(certfile);
if (dh) {
num_bits = DH_bits(dh);
SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
DH_free(dh);
- done = 1;
+ custom_dh_done = 1;
}
#else
pkey = modssl_dh_pkey_from_file(certfile);
@@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_cert
EVP_PKEY_free(pkey);
}
else {
- done = 1;
+ custom_dh_done = 1;
}
}
#endif
- if (done) {
+ if (custom_dh_done) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
"Custom DH parameters (%d bits) for %s loaded from %s",
num_bits, vhost_id, certfile);
}
}
#if !MODSSL_USE_OPENSSL_PRE_1_1_API
- else {
+ if (!custom_dh_done) {
/* If no parameter is manually configured, enable auto
* selection. */
SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
Date: Mon Apr 8 13:18:28 2024
New Revision: 1916863
URL: http://svn.apache.org/viewvc?rev=1916863&view=rev
Log:
* Ensure that we set the default DH parameters for the key
Replace else with an if as the if branch no longer ensures that
custome DH parameters have been loaded.
This fixes a regression that causes the default DH parameters for a key
no longer set and thus effectively disabling DH ciphers when no explicit
DH parameters are set.
PR: 68863
Added:
httpd/httpd/trunk/changes-entries/pr68863.txt (with props)
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Added: httpd/httpd/trunk/changes-entries/pr68863.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/pr68863.txt?rev=1916863&view=auto
==============================================================================
--- httpd/httpd/trunk/changes-entries/pr68863.txt (added)
+++ httpd/httpd/trunk/changes-entries/pr68863.txt Mon Apr 8 13:18:28 2024
@@ -0,0 +1,3 @@
+ *) mod_ssl: Fix a regression that causes the default DH parameters for a key
+ no longer set and thus effectively disabling DH ciphers when no explicit
+ DH parameters are set. PR 68863 [Ruediger Pluem]
Propchange: httpd/httpd/trunk/changes-entries/pr68863.txt
------------------------------------------------------------------------------
svn:eol-style = native
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1916863&r1=1916862&r2=1916863&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Mon Apr 8 13:18:28 2024
@@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_cert
const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
int i;
EVP_PKEY *pkey;
+ int custom_dh_done = 0;
#ifdef HAVE_ECC
EC_GROUP *ecgroup = NULL;
int curve_nid = 0;
@@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_cert
*/
certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
if (certfile && !modssl_is_engine_id(certfile)) {
- int done = 0, num_bits = 0;
+ int num_bits = 0;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
DH *dh = modssl_dh_from_file(certfile);
if (dh) {
num_bits = DH_bits(dh);
SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
DH_free(dh);
- done = 1;
+ custom_dh_done = 1;
}
#else
pkey = modssl_dh_pkey_from_file(certfile);
@@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_cert
EVP_PKEY_free(pkey);
}
else {
- done = 1;
+ custom_dh_done = 1;
}
}
#endif
- if (done) {
+ if (custom_dh_done) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
"Custom DH parameters (%d bits) for %s loaded from %s",
num_bits, vhost_id, certfile);
}
}
#if !MODSSL_USE_OPENSSL_PRE_1_1_API
- else {
+ if (!custom_dh_done) {
/* If no parameter is manually configured, enable auto
* selection. */
SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);