From ea574439f76bb3914b8b8c0be8e40ee826c95afc Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Fri, 22 Mar 2019 10:32:46 +0100
Subject: [PATCH] tls: make dh to openssl 1.1 compatible

Effective the same approach used in libanyevent-perl 7.140-3[0]
Stretch is also compatible with this, and we can remove it for
buster/PVE 6 once the libanyevent-perl package transitioned to
from unstable to buster, until then do it ourself to have a
functioning api/proxy...

[0]: https://salsa.debian.org/perl-team/modules/packages/libanyevent-perl/commit/7f3d5721bb915c0c24088c3ff361238938172108

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 PVE/APIServer/AnyEvent.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
index b2330a5..1a01d17 100644
--- a/PVE/APIServer/AnyEvent.pm
+++ b/PVE/APIServer/AnyEvent.pm
@@ -574,6 +574,9 @@ sub proxy_request {
 	    sslv2 => 0,
 	    sslv3 => 0,
 	    verify => 1,
+	    # be compatible with openssl 1.1, fix for debian bug #923615
+	    # remove once libanyeven-perl with this fix transitions to buster
+	    dh => 'schmorp2048',
 	    verify_cb => sub {
 		my (undef, undef, undef, $depth, undef, undef, $cert) = @_;
 		# we don't care about intermediate or root certificates