ADD: support for Perfect Forward Security (patch by Michael Brunnbauer)

This commit is contained in:
Juan José Gutiérrez de Quevedo Pérez 2014-10-09 15:24:48 +02:00
parent 5627834132
commit 45c9272fce
2 changed files with 31 additions and 0 deletions

View file

@ -230,6 +230,12 @@ string,private_key_file,"/etc/hermes/hermes.key"
* # openssl req -new -x509 -nodes -sha1 -days 365 -key private.key > certificate.crt
* and answer the questions
string,certificate_file,"/etc/hermes/hermes.cert"
* optional file with Diffie-Hellman parameters for Perfect Forward Secrecy.
* to generate, execute:
* # openssl dhparam -out dhparam.pem <numbits>
* (replace <numbits> with the number of bits suitable for you, e.G. 1024)
string,dhparams_file,""
#endif //HAVE_SSL
* whether to add headers to the email sent or no.

View file

@ -61,6 +61,31 @@ Socket::Socket():fd(-1)
/* load certificate */
if(SSL_CTX_use_certificate_chain_file(ssl_ctx_server,cfg.getCertificateFile().c_str())==-1)
throw Exception(_("Error loading certificate"),__FILE__,__LINE__);
/* load DH params */
BIO *bio;
DH *dh;
if (cfg.getDhparamsFile().size())
{
if ((bio=BIO_new_file(cfg.getDhparamsFile().c_str(), "r")) != 0)
{
if ((dh=PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) != 0)
{
SSL_CTX_set_tmp_dh(ssl_ctx_server, dh);
DH_free(dh);
}
else
{
throw Exception(_("Error loading DH params"),__FILE__,__LINE__);
}
BIO_free(bio);
}
else
{
throw Exception(_("Error opening DH params file"),__FILE__,__LINE__);
}
}
/* load private key */
if(SSL_CTX_use_PrivateKey_file(ssl_ctx_server,cfg.getPrivateKeyFile().c_str(),SSL_FILETYPE_PEM)==-1)
throw Exception(_("Error loading private key"),__FILE__,__LINE__);