Always generate DH keys for ephemeral DH cipher suites

Modified version of the commit ffaef3f15 in the master branch by Stephen Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always generates a new DH key for every handshake regardless. CVE-2016-0701 (fix part 2 or 2) Issue reported by Antonio Sanso Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
author: Matt Caswell <matt@openssl.org> 2015-12-17 02:57:20 +0000
committer: Matt Caswell <matt@openssl.org> 2016-01-28 13:49:56 +0000
commit: c5b831f21d0d29d1e517d139d9d101763f60c9a2 (patch)
tree: 2aebad0d6d8665b8ea93cce5571d659ba7ff882e /ssl/ssl.h
parent: 878e2c5b13010329c203f309ed0c8f2113f85648 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/ssl.h b/ssl/ssl.h
index a31c085711..ae8c92575e 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -625,7 +625,7 @@ struct ssl_session_st {
 # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        0x00040000L
 /* If set, always create a new key when using tmp_ecdh parameters */
 # define SSL_OP_SINGLE_ECDH_USE                          0x00080000L
-/* If set, always create a new key when using tmp_dh parameters */
+/* Does nothing: retained for compatibility */
 # define SSL_OP_SINGLE_DH_USE                            0x00100000L
 /* Does nothing: retained for compatibiity */
 # define SSL_OP_EPHEMERAL_RSA                            0x0
author	Matt Caswell <matt@openssl.org>	2015-12-17 02:57:20 +0000
committer	Matt Caswell <matt@openssl.org>	2016-01-28 13:49:56 +0000
commit	c5b831f21d0d29d1e517d139d9d101763f60c9a2 (patch)
tree	2aebad0d6d8665b8ea93cce5571d659ba7ff882e /ssl/ssl.h
parent	878e2c5b13010329c203f309ed0c8f2113f85648 (diff)