diff options
Diffstat (limited to '2.4/patches/06-dh-regression.patch')
-rw-r--r-- | 2.4/patches/06-dh-regression.patch | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/2.4/patches/06-dh-regression.patch b/2.4/patches/06-dh-regression.patch new file mode 100644 index 0000000..63cb606 --- /dev/null +++ b/2.4/patches/06-dh-regression.patch @@ -0,0 +1,81 @@ +From dee1eb37d787d34cb37df7eab535240e1774293a Mon Sep 17 00:00:00 2001 +From: Ruediger Pluem <rpluem@apache.org> +Date: Mon, 8 Apr 2024 13:18:28 +0000 +Subject: [PATCH] * Ensure that we set the default DH parameters for the key + +Replace else with an if as the if branch no longer ensures that +custome DH parameters have been loaded. +This fixes a regression that causes the default DH parameters for a key +no longer set and thus effectively disabling DH ciphers when no explicit +DH parameters are set. + +PR: 68863 + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916863 13f79535-47bb-0310-9956-ffa450edef68 +--- + changes-entries/pr68863.txt | 3 +++ + modules/ssl/ssl_engine_init.c | 11 ++++++----- + 2 files changed, 9 insertions(+), 5 deletions(-) + create mode 100644 changes-entries/pr68863.txt + +diff --git a/changes-entries/pr68863.txt b/changes-entries/pr68863.txt +new file mode 100644 +index 00000000000..d45ffc708cc +--- /dev/null ++++ b/changes-entries/pr68863.txt +@@ -0,0 +1,3 @@ ++ *) mod_ssl: Fix a regression that causes the default DH parameters for a key ++ no longer set and thus effectively disabling DH ciphers when no explicit ++ DH parameters are set. PR 68863 [Ruediger Pluem] +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index 64e4aaf1dcd..f657026d137 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, + const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; + int i; + EVP_PKEY *pkey; ++ int custom_dh_done = 0; + #ifdef HAVE_ECC + EC_GROUP *ecgroup = NULL; + int curve_nid = 0; +@@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s, + */ + certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); + if (certfile && !modssl_is_engine_id(certfile)) { +- int done = 0, num_bits = 0; ++ int num_bits = 0; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + DH *dh = modssl_dh_from_file(certfile); + if (dh) { + num_bits = DH_bits(dh); + SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); + DH_free(dh); +- done = 1; ++ custom_dh_done = 1; + } + #else + pkey = modssl_dh_pkey_from_file(certfile); +@@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s, + EVP_PKEY_free(pkey); + } + else { +- done = 1; ++ custom_dh_done = 1; + } + } + #endif +- if (done) { ++ if (custom_dh_done) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) + "Custom DH parameters (%d bits) for %s loaded from %s", + num_bits, vhost_id, certfile); + } + } + #if !MODSSL_USE_OPENSSL_PRE_1_1_API +- else { ++ if (!custom_dh_done) { + /* If no parameter is manually configured, enable auto + * selection. */ + SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1); |