From 7e80af04cafb303fab4d02210c03c34e2b163e58 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Fri, 14 Jun 2024 11:23:44 +0200 Subject: [PATCH] MINOR: ssl: relax the 'ssl.default-dh-param' keyword parsing Some libraries are ignoring SSL_CTX_set_tmp_dh_callback(), but disabling the 'ssl.default-dh-param' keyword when the function is not supported would result in an error instead of silently continuing. This patch emits a warning when the keyword is not supported instead of a loading failure. --- src/cfgparse-ssl.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index e7a7d471b..478f0bcc3 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -563,6 +563,8 @@ static int ssl_parse_global_dh_param_file(char **args, int section_type, struct return 0; } +#endif + /* parse "ssl.default-dh-param". * Returns <0 on alert, >0 on warning, 0 on success. */ @@ -570,6 +572,8 @@ static int ssl_parse_global_default_dh(char **args, int section_type, struct pro const struct proxy *defpx, const char *file, int line, char **err) { +#ifndef OPENSSL_NO_DH + if (too_many_args(1, args, err, NULL)) return -1; @@ -584,9 +588,13 @@ static int ssl_parse_global_default_dh(char **args, int section_type, struct pro return -1; } return 0; -} +#else + memprintf(err, "'%s' is not supported by %s, keyword ignored", args[0], OpenSSL_version(OPENSSL_VERSION)); + return ERR_WARN; #endif +} + /* * parse "ssl-load-extra-files". @@ -2308,9 +2316,7 @@ static struct cfg_kw_list cfg_kws = {ILH, { { CFG_GLOBAL, "ssl-security-level", ssl_parse_security_level }, { CFG_GLOBAL, "ssl-skip-self-issued-ca", ssl_parse_skip_self_issued_ca }, { CFG_GLOBAL, "tune.ssl.cachesize", ssl_parse_global_int }, -#ifndef OPENSSL_NO_DH { CFG_GLOBAL, "tune.ssl.default-dh-param", ssl_parse_global_default_dh }, -#endif { CFG_GLOBAL, "tune.ssl.force-private-cache", ssl_parse_global_private_cache }, { CFG_GLOBAL, "tune.ssl.lifetime", ssl_parse_global_lifetime }, { CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int },