MINOR: ssl: Set default dh size to 2048
Starting from OpenSSLv3, we won't rely on the
SSL_CTX_set_tmp_dh_callback mechanism so we will need to know the DH
size we want to use during init. In order for the default DH param size
to be used when no RSA or DSA private key can be found for a given bind
line, we will need to know the default size we want to use (which was
not possible the way the code was built, since the global default dh
size was set too late.
diff --git a/include/haproxy/defaults.h b/include/haproxy/defaults.h
index 7e9e9a3..9b521df 100644
--- a/include/haproxy/defaults.h
+++ b/include/haproxy/defaults.h
@@ -354,7 +354,7 @@
/* ssl max dh param size */
#ifndef SSL_DEFAULT_DH_PARAM
-#define SSL_DEFAULT_DH_PARAM 0
+#define SSL_DEFAULT_DH_PARAM 2048
#endif
/* max memory cost per SSL session */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 27d3d52..d48ec1a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4772,17 +4772,6 @@
#endif
#ifndef OPENSSL_NO_DH
- /* If tune.ssl.default-dh-param has not been set,
- neither has ssl-default-dh-file and no static DH
- params were in the certificate file. */
- if (global_ssl.default_dh_param == 0 &&
- global_dh == NULL &&
- (ssl_dh_ptr_index == -1 ||
- SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) {
- /* default to dh-param 2048 */
- global_ssl.default_dh_param = 2048;
- }
-
if (global_ssl.default_dh_param >= 1024) {
if (local_dh_1024 == NULL) {
local_dh_1024 = ssl_get_dh_1024();