Skip to content
Blame History Permalink
  • Bodo Möller's avatar
    Copy DH key (if available) in addition to the bare parameters · e11f0de6
    Bodo Möller authored 
    in SSL_new.
If SSL_OP_SINGLE_DH_USE is set, don't waste time in SSL_[CTX_]set_tmp_dh
on computing a DH key that will be ignored anyway.

ssltest -dhe1024dsa (w/ 160-bit sub-prime) had an unfair performance
advantage over -dhe1024 (safe prime): SSL_OP_SINGLE_DH_USE was
effectively always enabled because SSL_new ignored the DH key set in
the SSL_CTX.  Now -dhe1024 takes the server only about twice as long
as -dhe1024dsa instead of three times as long (for 1024 bit RSA
with 1024 bit DH).
    e11f0de6
To find the state of this project's repository at the time of any of these versions, check out the tags.