Remove calls to SSL_CTX_set_ecdh_auto()

SSL_CTX_set_ecdh_auto() was introduced for OpenSSL 1.0.2. It has no effect for OpenSSL 1.1.0 and later. For versions before 1.0.2 and after (and including 1.1.0) it should not be called. The macro was erroneously being called twice for OpenSSL 3.0.0 and later - this has also been remedied
neutrinolabs · Oct 28, 2024 · a958e37 · a958e37
1 parent 514c62c
commit a958e37
Showing 1 changed file with 5 additions and 8 deletions.
diff --git a/common/ssl_calls.c b/common/ssl_calls.c
@@ -1104,15 +1104,12 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols,
         return 1;
     }
     DH_free(dh); // ok to free, copied into ctx by SSL_CTX_set_tmp_dh()
-#else
-    if (!SSL_CTX_set_dh_auto(self->ctx, 1))
-    {
-        LOG(LOG_LEVEL_ERROR, "TLS DHE auto failed to be enabled");
-        dump_ssl_error_stack(self);
-        return 1;
-    }
 #endif
-#if defined(SSL_CTX_set_ecdh_auto)
+
+#if (OPENSSL_VERSION_NUMBER >= 0x10000020L) && \
+    OPENSSL_VERSION_NUMBER < (0x10100000L)
+    // SSL_CTX_set_ecdh_auto() added in OpenSSL 1.0.2 and
+    // removed for OpenSSL 1.1.0
     if (!SSL_CTX_set_ecdh_auto(self->ctx, 1))
     {
         LOG(LOG_LEVEL_WARNING, "TLS ecdh auto failed to be enabled");