Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 6d27a92b83f75bab42bda08ed28b70fb95525fd9^! / .
commit6d27a92b83f75bab42bda08ed28b70fb95525fd9[log] [tgz]
authorWilly Tarreau <w@1wt.eu>Thu Nov 05 19:38:05 2020 +0100
committerWilly Tarreau <w@1wt.eu>Thu Nov 05 19:40:14 2020 +0100
tree00c8f1aba285f3c7b462d5a13168f1e68f8c5b0d
parenteff2e0a958816ace5ea71c4e958dff647b5bf170 [diff]
BUG/MINOR: ssl: don't report 1024 bits DH param load error when it's higher

The default dh_param value is 2048 and it's preset to zero unless explicitly
set, so we must not report a warning about DH param not being loadble in 1024
bits when we're going to use 2048. Thanks to Dinko for reporting this.

This should be backported to 2.2.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6f73a31..6f28c4f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -2993,7 +2993,7 @@
 		/* Clear openssl global errors stack */
 		ERR_clear_error();
 
-		if (global_ssl.default_dh_param <= 1024) {
+		if (global_ssl.default_dh_param && global_ssl.default_dh_param <= 1024) {
 			/* we are limited to DH parameter of 1024 bits anyway */
 			if (local_dh_1024 == NULL)
 				local_dh_1024 = ssl_get_dh_1024();