changeset 933:30672d224854

Enable SSL_OP_SINGLE_DH_USE I've read (and tested) the patch submitted by Matthias Hunstock. I think it would be prudent to follow the advice in the OpenSSL documentation and enable the option SSL_OP_SINGLE_DH_USE. (Patch attached.) This may not matter when perdition is run from inetd, but in daemon mode the DH parameters are read only once, by the process that listens for incoming connections, and only used in the children after forking, so if one doesn't set SSL_OP_SINGLE_DH_USE I'd expect *every* child to end up using the same random number, which risks defeating forward secrecy. See the SSL_set_tmp_dh(3) man page. v2 Here is a minor revision of yesterday's patch. From a security standpoint either will do the job, but this version avoids a few unnecessary operations. (If SSL_OP_SINGLE_DH_USE is set before calling SSL_CTX_set_tmp_dh() the latter will refrain from generating a Y_s right away.) About testing: I've been using openssl s_client -connect imap:993 -debug -cipher DHE-RSA-AES256-SHA256 to look at the ServerKeyExchange message (the one after the server certificate). This contains three values: p, g, and Y_s. p and g are straight out of the DH parameter file, while Y_s changes on every connection (with either version of my patch) or considerably less often (without my patch). Signed-off-by: Simon Horman <horms@verge.net.au>
author Sergio Gelato <Sergio.Gelato@astro.su.se>
date Sat, 13 Jun 2015 09:01:10 +0900
parents 083549518c3c
children 3895fb98913f
files perdition/ssl.c
diffstat 1 files changed, 1 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/perdition/ssl.c	Sat Jun 13 08:59:05 2015 +0900
+++ b/perdition/ssl.c	Sat Jun 13 09:01:10 2015 +0900
@@ -581,6 +581,7 @@
 					("Loaded Diffie-Hellman parameters: \"%s\"", dhfile);
 				}
 				DH_free(dh);
+				SSL_CTX_set_options(ssl_ctx, SSL_OP_SINGLE_DH_USE);
 			}
 		}
 	}