[mod_mbedtls] EC certs require drbg init

gstrauss · gstrauss · commit 37fe7397bc24 · 2025-11-29T00:41:28.000-05:00
EC certs require drbg init with mbedtls >= 3.0.0 in addition to MBEDTLS_USE_PSA_CRYPTO requiring drbg init x-ref: "mbedtls error with ec certificates" https://redmine.lighttpd.net/boards/2/topics/12097 "mod_mbedtls: ECDSA OpenSSL certificates do not work with lighttpd + mbedTLS/PSA (MBEDTLS_USE_PSA_CRYPTO)" https://redmine.lighttpd.net/issues/3288
diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c
@@ -1247,7 +1247,7 @@ __attribute_noinline__
 static void *
 network_mbedtls_load_pemfile (server *srv, const buffer *pemfile, const buffer *privkey)
 {
-  #if defined(MBEDTLS_USE_PSA_CRYPTO)
+  #if MBEDTLS_VERSION_NUMBER >= 0x03000000 /* mbedtls 3.0.0 */
     if (!mod_mbedtls_init_once_mbedtls(srv))
         return NULL;
   #endif
@@ -2138,7 +2138,7 @@ SETDEFAULTS_FUNC(mod_mbedtls_set_defaults)
                 __attribute_fallthrough__
               case 2: /* ssl.ca-file */
               case 3: /* ssl.ca-dn-file */
-               #if defined(MBEDTLS_USE_PSA_CRYPTO)
+               #if MBEDTLS_VERSION_NUMBER >= 0x03000000 /* mbedtls 3.0.0 */
                 if (!mod_mbedtls_init_once_mbedtls(srv)) return HANDLER_ERROR;
                #endif /* else defer; not necessary for pemfile parsing */
                 if (!buffer_is_blank(cpv->v.b)) {
