diff --git a/src/Configfile.tmpl b/src/Configfile.tmpl index 1851801..d45dfc1 100644 --- a/src/Configfile.tmpl +++ b/src/Configfile.tmpl @@ -230,6 +230,12 @@ string,private_key_file,"/etc/hermes/hermes.key" * # openssl req -new -x509 -nodes -sha1 -days 365 -key private.key > certificate.crt * and answer the questions string,certificate_file,"/etc/hermes/hermes.cert" + +* optional file with Diffie-Hellman parameters for Perfect Forward Secrecy. +* to generate, execute: +* # openssl dhparam -out dhparam.pem +* (replace with the number of bits suitable for you, e.G. 1024) +string,dhparams_file,"" #endif //HAVE_SSL * whether to add headers to the email sent or no. diff --git a/src/Socket.cpp b/src/Socket.cpp index 131fa6a..4c5e726 100644 --- a/src/Socket.cpp +++ b/src/Socket.cpp @@ -61,6 +61,31 @@ Socket::Socket():fd(-1) /* load certificate */ if(SSL_CTX_use_certificate_chain_file(ssl_ctx_server,cfg.getCertificateFile().c_str())==-1) throw Exception(_("Error loading certificate"),__FILE__,__LINE__); + + /* load DH params */ + BIO *bio; + DH *dh; + if (cfg.getDhparamsFile().size()) + { + if ((bio=BIO_new_file(cfg.getDhparamsFile().c_str(), "r")) != 0) + { + if ((dh=PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) != 0) + { + SSL_CTX_set_tmp_dh(ssl_ctx_server, dh); + DH_free(dh); + } + else + { + throw Exception(_("Error loading DH params"),__FILE__,__LINE__); + } + BIO_free(bio); + } + else + { + throw Exception(_("Error opening DH params file"),__FILE__,__LINE__); + } + } + /* load private key */ if(SSL_CTX_use_PrivateKey_file(ssl_ctx_server,cfg.getPrivateKeyFile().c_str(),SSL_FILETYPE_PEM)==-1) throw Exception(_("Error loading private key"),__FILE__,__LINE__);