Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 52f2ff5b935636d7977182a5c2cad23848aa10d9^! / .
commit52f2ff5b935636d7977182a5c2cad23848aa10d9[log] [tgz]
authorIlya Shipitsin <chipitsine@gmail.com>Sat Jul 23 23:55:19 2022 +0500
committerWilly Tarreau <w@1wt.eu>Sat Aug 06 17:45:40 2022 +0200
tree66dfa092f124959335d92bc757188436b1bfb697
parent3b64a28e156026526be0ca540c5950569f80a477 [diff]
BUG/MEDIUM: fix DH length when EC key is used

dh of length 1024 were chosen for EVP_PKEY_EC key type.
let us pick "default_dh_param" instead.

issue was found on Ubuntu 22.04 which is shipped with OpenSSL configured
with SECLEVEL=2 by default. such SECLEVEL value prohibits DH shorter than
2048:

OpenSSL error[0xa00018a] SSL_CTX_set0_tmp_dh_pkey: dh key too small

better strategy for chosing DH still may be considered though.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1d39826..02b369a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -3211,6 +3211,10 @@
 
 	type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
 
+	if (type == EVP_PKEY_EC) {
+		keylen = global_ssl.default_dh_param;
+	}
+
 	/* The keylen supplied by OpenSSL can only be 512 or 1024.
 	   See ssl3_send_server_key_exchange() in ssl/s3_srvr.c
 	 */