ADD: support for Perfect Forward Security (patch by Michael Brunnbauer)

2014-10-09 15:24:48 +02:00 · 2014-10-09 15:24:48 +02:00 · 45c9272fce
parent 5627834132
commit 45c9272fce
2 changed files with 31 additions and 0 deletions
--- a/src/Configfile.tmpl
+++ b/src/Configfile.tmpl
@ -230,6 +230,12 @@ string,private_key_file,"/etc/hermes/hermes.key"
 *   # openssl req -new -x509 -nodes -sha1 -days 365 -key private.key > certificate.crt
 * and answer the questions
 string,certificate_file,"/etc/hermes/hermes.cert"
+
+* optional file with Diffie-Hellman parameters for Perfect Forward Secrecy.
+* to generate, execute:
+*   # openssl dhparam -out dhparam.pem <numbits>
+* (replace <numbits> with the number of bits suitable for you, e.G. 1024)
+string,dhparams_file,""
 #endif //HAVE_SSL

 * whether to add headers to the email sent or no.
--- a/src/Socket.cpp
+++ b/src/Socket.cpp
@ -61,6 +61,31 @@ Socket::Socket():fd(-1)
      /* load certificate */
      if(SSL_CTX_use_certificate_chain_file(ssl_ctx_server,cfg.getCertificateFile().c_str())==-1)
        throw Exception(_("Error loading certificate"),__FILE__,__LINE__);
+
+      /* load DH params */
+      BIO     *bio;
+      DH      *dh;
+      if (cfg.getDhparamsFile().size())
+      {
+        if ((bio=BIO_new_file(cfg.getDhparamsFile().c_str(), "r")) != 0)
+        {
+          if ((dh=PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) != 0)
+          {
+            SSL_CTX_set_tmp_dh(ssl_ctx_server, dh);
+            DH_free(dh);
+          }
+          else
+          {
+            throw Exception(_("Error loading DH params"),__FILE__,__LINE__);
+          }
+          BIO_free(bio);
+        }
+        else
+        {
+          throw Exception(_("Error opening DH params file"),__FILE__,__LINE__);
+        }
+      }
+
      /* load private key */
      if(SSL_CTX_use_PrivateKey_file(ssl_ctx_server,cfg.getPrivateKeyFile().c_str(),SSL_FILETYPE_PEM)==-1)
        throw Exception(_("Error loading private key"),__FILE__,__LINE__);