diff options
Diffstat (limited to '2.4/patches/06-dh-regression.patch')
| -rw-r--r-- | 2.4/patches/06-dh-regression.patch | 81 |
1 files changed, 0 insertions, 81 deletions
diff --git a/2.4/patches/06-dh-regression.patch b/2.4/patches/06-dh-regression.patch deleted file mode 100644 index 63cb606..0000000 --- a/2.4/patches/06-dh-regression.patch +++ /dev/null @@ -1,81 +0,0 @@ -From dee1eb37d787d34cb37df7eab535240e1774293a Mon Sep 17 00:00:00 2001 -From: Ruediger Pluem <rpluem@apache.org> -Date: Mon, 8 Apr 2024 13:18:28 +0000 -Subject: [PATCH] * Ensure that we set the default DH parameters for the key - -Replace else with an if as the if branch no longer ensures that -custome DH parameters have been loaded. -This fixes a regression that causes the default DH parameters for a key -no longer set and thus effectively disabling DH ciphers when no explicit -DH parameters are set. - -PR: 68863 - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916863 13f79535-47bb-0310-9956-ffa450edef68 ---- - changes-entries/pr68863.txt | 3 +++ - modules/ssl/ssl_engine_init.c | 11 ++++++----- - 2 files changed, 9 insertions(+), 5 deletions(-) - create mode 100644 changes-entries/pr68863.txt - -diff --git a/changes-entries/pr68863.txt b/changes-entries/pr68863.txt -new file mode 100644 -index 00000000000..d45ffc708cc ---- /dev/null -+++ b/changes-entries/pr68863.txt -@@ -0,0 +1,3 @@ -+ *) mod_ssl: Fix a regression that causes the default DH parameters for a key -+ no longer set and thus effectively disabling DH ciphers when no explicit -+ DH parameters are set. PR 68863 [Ruediger Pluem] -diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c -index 64e4aaf1dcd..f657026d137 100644 ---- a/modules/ssl/ssl_engine_init.c -+++ b/modules/ssl/ssl_engine_init.c -@@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s, - const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; - int i; - EVP_PKEY *pkey; -+ int custom_dh_done = 0; - #ifdef HAVE_ECC - EC_GROUP *ecgroup = NULL; - int curve_nid = 0; -@@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s, - */ - certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); - if (certfile && !modssl_is_engine_id(certfile)) { -- int done = 0, num_bits = 0; -+ int num_bits = 0; - #if OPENSSL_VERSION_NUMBER < 0x30000000L - DH *dh = modssl_dh_from_file(certfile); - if (dh) { - num_bits = DH_bits(dh); - SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); - DH_free(dh); -- done = 1; -+ custom_dh_done = 1; - } - #else - pkey = modssl_dh_pkey_from_file(certfile); -@@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s, - EVP_PKEY_free(pkey); - } - else { -- done = 1; -+ custom_dh_done = 1; - } - } - #endif -- if (done) { -+ if (custom_dh_done) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) - "Custom DH parameters (%d bits) for %s loaded from %s", - num_bits, vhost_id, certfile); - } - } - #if !MODSSL_USE_OPENSSL_PRE_1_1_API -- else { -+ if (!custom_dh_done) { - /* If no parameter is manually configured, enable auto - * selection. */ - SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1); |