Auto DH support.

Add auto DH parameter support. This is roughly equivalent to the ECDH auto curve selection but for DH. An application can just call SSL_CTX_set_auto_dh(ctx, 1); and appropriate DH parameters will be used based on the size of the server key. Unlike ECDH there is no way a peer can indicate the range of DH parameters it supports. Some peers cannot handle DH keys larger that 1024 bits for example. In this case if you call: SSL_CTX_set_auto_dh(ctx, 2); Only 1024 bit DH parameters will be used. If the server key is 7680 bits or more in size then 8192 bit DH parameters will be used: these will be *very* slow. The old export ciphersuites aren't supported but those are very insecure anyway.
author: Dr. Stephen Henson <steve@openssl.org> 2014-01-22 16:22:48 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2014-03-28 14:49:04 +0000
commit: 09599b52d4e295c380512ba39958a11994d63401 (patch)
tree: a2bbccfe21abc225b7010c37638d5e0416778e3d /ssl/ssl_cert.c
parent: 2514fa79acba998c2a8d4e5a8288a5b3ae990377 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 3ad0f8bca3..665623eed8 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -257,6 +257,7 @@ CERT *ssl_cert_dup(CERT *cert)
 			}
 		}
 	ret->dh_tmp_cb = cert->dh_tmp_cb;
+	ret->dh_tmp_auto = cert->dh_tmp_auto;
 #endif
 
 #ifndef OPENSSL_NO_ECDH
author	Dr. Stephen Henson <steve@openssl.org>	2014-01-22 16:22:48 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2014-03-28 14:49:04 +0000
commit	09599b52d4e295c380512ba39958a11994d63401 (patch)
tree	a2bbccfe21abc225b7010c37638d5e0416778e3d /ssl/ssl_cert.c
parent	2514fa79acba998c2a8d4e5a8288a5b3ae990377 (diff)