DH_check return value test correct?

load_dh_file() in src/backend/libpq/be-secure.c does the following:

if (DH_check(dh, &codes))
{
elog(LOG, "DH_check error (%s): %s", fnbuf, SSLerrmessage());
return NULL;
}

Isn't that the wrong test for DH_check's return value? According
to the OpenSSL documentation "DH_check() returns 1 if the check
could be performed, 0 otherwise."

http://www.openssl.org/docs/crypto/DH_generate_parameters.html

That is, if the return value is 1 then the caller can proceed with
tests for DH_CHECK_P_NOT_PRIME, etc., but if the return value is 0
then DH_check failed for some reason. The DH_check source code
appears to confirm this interpretation.

http://cvs.openssl.org/getfile/openssl/crypto/dh/dh_check.c?v=1.8

The DH_check test in load_dh_file() is reached only if the DBA has
generated DH parameters and installed them in $PGDATA. You can do
that with

openssl dhparam -out $PGDATA/dh1024.pem 1024

(This command can take several minutes to run.)

If $PGDATA/dh1024.pem exists and if SSL connections are enabled,
then each SSL connection logs the following:

DH_check error (dh1024.pem): No SSL error reported

The backend then loads the hardcoded parameters. The SSL connection
works, but with DH parameters other than intended.

--
Michael Fuhr