Fix test for DH cipher directive

Since we don't support ADH ciphers can just ignore DH-*

Note that OpenSSL defines the DH- ciphers but does not implement
them so the DH string support is there only for compatibility.

2 files changed, 11 insertions, 0 deletions

diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c
index ffa537e..4b059b0 100644
--- a/nss_engine_cipher.c
+++ b/nss_engine_cipher.c
@@ -307,6 +307,15 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
                 } else if (!strcmp(cipher, "aRSA")) {
                     mask |= SSL_aRSA;
                 } else if (!strcmp(cipher, "EDH")) {
+                    /* Normally this is kEDH:-ADH but since we don't
+                     * support ADH this is sufficient.
+                     */
+                    mask |= SSL_kEDH;
+                } else if (!strcmp(cipher, "DH")) {
+                    /* non-ephemeral DH. The ciphers are defined
+                     * but not implemented in OpenSSL so manage
+                     * this here.
+                     */
                     mask |= SSL_kEDH;
 #if 0
                 } else if (!strcmp(cipher, "ADH")) {
diff --git a/test/test_cipher.py b/test/test_cipher.py
index 4e69fc6..f1d39df 100644
--- a/test/test_cipher.py
+++ b/test/test_cipher.py
@@ -53,6 +53,8 @@ def assert_equal_openssl(ciphers):
             continue
         if not ENABLE_GCM and 'GCM' in o:
             continue
+        if o.startswith('DH-'):
+            continue
         if o in CIPHERS_NOT_IN_NSS:
             continue
         t.append(o)