From e81216c172446176e431626f836f7a2aa501e06a Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Wed, 9 Dec 2020 15:53:54 +0000
Subject: [PATCH] Fix DH group not being set for TLS connections.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This meant ciphers using DHE couldn't be used.

Closes #1925. Closes #1476. Thanks to Jonathan Sönnerup, Valerii
Demeshko, and sectokia.
---
 ChangeLog.txt | 2 ++
 src/net.c     | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 608d6270..39b49d2f 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,5 +1,7 @@
 Broker:
 - Fix crash on Windows if loading a plugin fails. Closes #1866.
+- Fix DH group not being set for TLS connections, which meant ciphers using
+  DHE couldn't be used. Closes #1925. Closes #1476.
 - Fix listener not being reassociated with client when reloading a persistence
   file and `per_listener_settings true` is set and the client did not set a
   username. Closes #1891.
diff --git a/src/net.c b/src/net.c
index 3833b947..7dbdb3a4 100644
--- a/src/net.c
+++ b/src/net.c
@@ -369,6 +369,9 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 	SSL_CTX_set_ecdh_auto(listener->ssl_ctx, 1);
 #endif
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	SSL_CTX_set_dh_auto(listener->ssl_ctx, 1);
+#endif
 
 #ifdef SSL_OP_NO_RENEGOTIATION
 	SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_RENEGOTIATION);