From baedba6a588856513ef71eb65f109a5df0dc37eb Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Thu, 22 Jan 2026 15:13:08 -0700
Subject: [PATCH] Force client haveDH to true in wolfSSL_set_options.  haveDH
 won't be set to true on the client as the server side is what calls DH param
 generation APIs which set this to true, but we still want the client to
 support DH cipher suites if enabled.  This matches behavior from
 InitSSL_EitherSide.

---
 src/ssl.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/ssl.c b/src/ssl.c
index d3961330e..db2adc9c2 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -17128,7 +17128,15 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
         if (AllocateSuites(ssl) != 0)
             return 0;
         if (!ssl->suites->setSuites) {
-            InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
+            /* Client side won't set DH params, so it needs haveDH set to TRUE. */
+            if (ssl->options.side == WOLFSSL_CLIENT_END)
+                InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
+                       havePSK, TRUE, ssl->options.haveECDSAsig,
+                       ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
+                       ssl->options.useAnon,
+                       TRUE, TRUE, TRUE, TRUE, ssl->options.side);
+            else
+                InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
                        havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig,
                        ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
                        ssl->options.useAnon,