From c2f62f03aac45fad76aaf88d5dbbaf56a8f3c7e1 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Tue, 1 Dec 2020 10:55:00 +0000
Subject: [PATCH] Set SSL_OP_SINGLE_DH_USE to protect against weak dhparam
 primes.

---
 src/net.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/net.c b/src/net.c
index acd60025..848b294d 100644
--- a/src/net.c
+++ b/src/net.c
@@ -345,6 +345,11 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);
 		return MOSQ_ERR_TLS;
 	}
+	/* Use a new key when using temporary/ephemeral DH parameters.
+	 * This shouldn't be necessary, but we can't guarantee that `dhparam` has
+	 * been generated using strong primes.
+	 */
+	SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_SINGLE_DH_USE);
 
 #ifdef SSL_OP_NO_COMPRESSION
 	/* Disable compression */