MINOR: ssl: Add ssl_sock_set_tmp_dh_from_pkey helper function This helper function will only be used with OpenSSLv3. It simply sets in an SSL_CTX a set of DH parameters of the same size as a certificate's private key. This logic is the same as the one used with older versions, it simply relies on new APIs. If no pkey can be found the SSL_CTX_set_dh_auto function wll be called, making the SSL_CTX rely on DH parameters provided by OpenSSL in case of DHE negotiation.

commit: 5f17930572c30fb21197b7feeb529a2c114af840 [log] [tgz]
author: Remi Tricot-Le Breton <rlebreton@haproxy.com> Fri Feb 11 12:04:51 2022 +0100
committer: William Lallemand <wlallemand@haproxy.org> Mon Feb 14 10:07:14 2022 +0100
tree: e6f6444d64b73fa443b505c5f993d27045e79683
parent: 846eda91bab19c63bbdcac8d46ae20f47c1edb9d [diff]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f75a454..cb363cf 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -3108,6 +3108,20 @@
 #endif
 }
 
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
+static void ssl_sock_set_tmp_dh_from_pkey(SSL_CTX *ctx, EVP_PKEY *pkey)
+{
+	HASSL_DH *dh = NULL;
+	if (pkey && (dh = ssl_get_tmp_dh(pkey))) {
+		HASSL_DH_up_ref(dh);
+		if (!SSL_CTX_set0_tmp_dh_pkey(ctx, dh))
+			HASSL_DH_free(dh);
+	}
+	else
+		SSL_CTX_set_dh_auto(ctx, 1);
+}
+#endif
+
 HASSL_DH *ssl_sock_get_dh_from_bio(BIO *bio)
 {
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
commit	5f17930572c30fb21197b7feeb529a2c114af840	[log] [tgz]
author	Remi Tricot-Le Breton <rlebreton@haproxy.com>	Fri Feb 11 12:04:51 2022 +0100
committer	William Lallemand <wlallemand@haproxy.org>	Mon Feb 14 10:07:14 2022 +0100
tree	e6f6444d64b73fa443b505c5f993d27045e79683
parent	846eda91bab19c63bbdcac8d46ae20f47c1edb9d [diff]