tls: Use automatic DH parameter selection with OpenSSL 1.1.0 and later,

rather than only for 3.0.0+.
cyrusimap · Dec 6, 2024 · fcd241a · fcd241a
1 parent 8265221
commit fcd241a
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/imap/tls.c b/imap/tls.c
@@ -150,7 +150,7 @@ static int tls_serverengine = 0; /* server engine initialized? */
 static int tls_clientengine = 0; /* client engine initialized? */
 static int do_dump = 0;         /* actively dumping protocol? */
 
-#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && (OPENSSL_VERSION_NUMBER < 0x30000000L)
+#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && (OPENSSL_VERSION_NUMBER < 0x10101000L)
 static DH *dh_params = NULL;
 #endif
 
@@ -241,7 +241,7 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
 }
 #endif
 
-#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && (OPENSSL_VERSION_NUMBER < 0x30000000L)
+#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && (OPENSSL_VERSION_NUMBER < 0x10101000L)
 /* Logic copied from OpenSSL apps/s_server.c: give the TLS context
  * DH params to work with DHE-* cipher suites. Hardcoded fallback
  * in case no DH params in server_key or server_cert.
@@ -295,7 +295,7 @@ static DH *load_dh_param(const char *dhfile, const char *keyfile, const char *ce
 
     return(ret);
 }
-#endif /* OPENSSL_VERSION_NUMBER >= 0x009080fL */
+#endif /* OPENSSL_VERSION_NUMBER >= 0x009080fL && OPENSSL_VERSION_NUMBER < 0x10101000L */
 
 /* taken from OpenSSL apps/s_cb.c */
 
@@ -1020,7 +1020,7 @@ EXPORTED int     tls_init_serverengine(const char *ident,
     SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);
 #endif
 
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
     SSL_CTX_set_dh_auto(s_ctx, 1);
 #elif (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
     /* Load DH params for DHE-* key exchanges */

diff --git a/lib/imapoptions b/lib/imapoptions
@@ -3139,7 +3139,7 @@ product version in the capabilities
 
 { "tls_server_dhparam", NULL, STRING, "3.1.4" }
 /* File containing the DH parameters belonging to the certificate in
-   tls_server_cert. Used by OpenSSL before version 3.0. */
+   tls_server_cert. Used by OpenSSL before version 1.1.1. */
 
 { "tls_server_key", NULL, STRING, "3.1.8" }
 /* File containing the private key belonging to the certificate in