Browse Source

ADD: support for Perfect Forward Security (patch by Michael Brunnbauer)

Juan José Gutiérrez de Quevedo Pérez 6 years ago
parent
commit
45c9272fce
2 changed files with 31 additions and 0 deletions
  1. 6 0
      src/Configfile.tmpl
  2. 25 0
      src/Socket.cpp

+ 6 - 0
src/Configfile.tmpl

@@ -230,6 +230,12 @@ string,private_key_file,"/etc/hermes/hermes.key"
 *   # openssl req -new -x509 -nodes -sha1 -days 365 -key private.key > certificate.crt
 * and answer the questions
 string,certificate_file,"/etc/hermes/hermes.cert"
+
+* optional file with Diffie-Hellman parameters for Perfect Forward Secrecy.
+* to generate, execute:
+*   # openssl dhparam -out dhparam.pem <numbits>
+* (replace <numbits> with the number of bits suitable for you, e.G. 1024)
+string,dhparams_file,""
 #endif //HAVE_SSL
 
 * whether to add headers to the email sent or no.

+ 25 - 0
src/Socket.cpp

@@ -61,6 +61,31 @@ Socket::Socket():fd(-1)
       /* load certificate */
       if(SSL_CTX_use_certificate_chain_file(ssl_ctx_server,cfg.getCertificateFile().c_str())==-1)
         throw Exception(_("Error loading certificate"),__FILE__,__LINE__);
+
+      /* load DH params */
+      BIO     *bio;
+      DH      *dh;
+      if (cfg.getDhparamsFile().size())
+      {
+        if ((bio=BIO_new_file(cfg.getDhparamsFile().c_str(), "r")) != 0)
+        {
+          if ((dh=PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) != 0)
+          {
+            SSL_CTX_set_tmp_dh(ssl_ctx_server, dh);
+            DH_free(dh);
+          }
+          else
+          {
+            throw Exception(_("Error loading DH params"),__FILE__,__LINE__);
+          }
+          BIO_free(bio);
+        }
+        else
+        {
+          throw Exception(_("Error opening DH params file"),__FILE__,__LINE__);
+        }
+      }
+
       /* load private key */
       if(SSL_CTX_use_PrivateKey_file(ssl_ctx_server,cfg.getPrivateKeyFile().c_str(),SSL_FILETYPE_PEM)==-1)
         throw Exception(_("Error loading private key"),__FILE__,__LINE__);