MINOR: ssl: Remove calls to SSL_CTX_set_tmp_dh_callback on OpenSSLv3
The SSL_CTX_set_tmp_dh_callback function was marked as deprecated in
OpenSSLv3 so this patch replaces this callback mechanism by a direct set
of DH parameters during init.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 789601e..758b029 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -471,7 +471,11 @@
static HASSL_DH *local_dh_1024 = NULL;
static HASSL_DH *local_dh_2048 = NULL;
static HASSL_DH *local_dh_4096 = NULL;
+#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
static DH *ssl_get_tmp_dh_cbk(SSL *ssl, int export, int keylen);
+#else
+static void ssl_sock_set_tmp_dh_from_pkey(SSL_CTX *ctx, EVP_PKEY *pkey);
+#endif
#endif /* OPENSSL_NO_DH */
#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
@@ -2237,7 +2241,11 @@
if (newcrt) X509_free(newcrt);
#ifndef OPENSSL_NO_DH
+#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_get_tmp_dh_cbk);
+#else
+ ssl_sock_set_tmp_dh_from_pkey(ssl_ctx, pkey);
+#endif
#endif
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
@@ -3119,6 +3127,7 @@
return dh;
}
+#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
/* Returns Diffie-Hellman parameters matching the private key length
but not exceeding global_ssl.default_dh_param */
static HASSL_DH *ssl_get_tmp_dh_cbk(SSL *ssl, int export, int keylen)
@@ -3127,6 +3136,7 @@
return ssl_get_tmp_dh(pkey);
}
+#endif
static int ssl_sock_set_tmp_dh(SSL_CTX *ctx, HASSL_DH *dh)
{
@@ -3426,7 +3436,11 @@
}
}
else {
+#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh_cbk);
+#else
+ ssl_sock_set_tmp_dh_from_pkey(ctx, ckch ? ckch->key : NULL);
+#endif
}
}