From d8dcfd75fea6f33ae70886fea94d230e05542577 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Wed, 9 Dec 2020 15:49:57 +0000
Subject: [PATCH] lib: Fix DH group not being set for TLS connections.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This meant ciphers using DHE couldn't be used.

Closes #1925. Closes #1476. Thanks to Jonathan Sönnerup, Valerii
Demeshko, and sectokia.
---
 ChangeLog.txt  | 4 ++++
 lib/net_mosq.c | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index d762a3f5..0a7b4b47 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -4,6 +4,10 @@ Broker:
 - Fix DH group not being set for TLS connections, which meant ciphers using
   DHE couldn't be used. Closes #1925. Closes #1476.
 
+Client library:
+- Fix DH group not being set for TLS connections, which meant ciphers using
+  DHE couldn't be used. Closes #1925. Closes #1476.
+
 Apps:
 - Fix `mosquitto_passwd -U`
 
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
index 1000d4ed..0d8f9133 100644
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@@ -715,6 +715,10 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 			return MOSQ_ERR_INVAL;
 		}
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		/* Allow use of DHE ciphers */
+		SSL_CTX_set_dh_auto(mosq->ssl_ctx, 1);
+#endif
 		/* Disable compression */
 		SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_COMPRESSION);