Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
5.5(EOL), 10.0(EOL), 10.1(EOL)
-
10.1.9-3
Description
When establishing a client SSL connection the client tries to setup Differ-Hellman parameters,
which should be used on server only.
see http://linux.die.net/man/3/ssl_ctx_set_tmp_dh : These functions apply to SSL/TLS servers only.
Suggested fix:
--- a/vio/viosslfactories.c
|
+++ b/vio/viosslfactories.c
|
@@ -259,14 +259,17 @@ static void check_ssl_init()
|
}
|
|
/* DH stuff */
|
- dh=get_dh2048();
|
- if (!SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh))
|
+ if (!is_client_method)
|
{
|
- *error= SSL_INITERR_DH;
|
- goto err3;
|
- }
|
+ dh=get_dh2048();
|
+ if (!SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh))
|
+ {
|
+ *error= SSL_INITERR_DH;
|
+ goto err3;
|
+ }
|
|
- DH_free(dh);
|
+ DH_free(dh);
|
+ }
|