mirror of https://git.kore.io/kore.git
Add support for ephemeral key exchange mechanisms, ssl_dhparam configuration option must be set (and point to a file containing a generated DH key).
This commit is contained in:
parent
bb9f37f029
commit
04ee544982
|
@ -24,6 +24,7 @@
|
||||||
#include <arpa/inet.h>
|
#include <arpa/inet.h>
|
||||||
|
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/dh.h>
|
||||||
#include <openssl/ssl.h>
|
#include <openssl/ssl.h>
|
||||||
|
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
|
@ -228,6 +229,7 @@ extern char *kore_module_onload;
|
||||||
extern char *kore_pidfile;
|
extern char *kore_pidfile;
|
||||||
extern char *config_file;
|
extern char *config_file;
|
||||||
extern char *kore_ssl_cipher_list;
|
extern char *kore_ssl_cipher_list;
|
||||||
|
extern DH *ssl_dhparam;
|
||||||
|
|
||||||
extern u_int8_t nlisteners;
|
extern u_int8_t nlisteners;
|
||||||
extern u_int64_t spdy_idle_time;
|
extern u_int64_t spdy_idle_time;
|
||||||
|
|
31
src/config.c
31
src/config.c
|
@ -34,6 +34,7 @@ static int configure_certfile(char **);
|
||||||
static int configure_certkey(char **);
|
static int configure_certkey(char **);
|
||||||
static int configure_max_connections(char **);
|
static int configure_max_connections(char **);
|
||||||
static int configure_ssl_cipher(char **);
|
static int configure_ssl_cipher(char **);
|
||||||
|
static int configure_ssl_dhparam(char **);
|
||||||
static int configure_spdy_idle_time(char **);
|
static int configure_spdy_idle_time(char **);
|
||||||
static void domain_sslstart(void);
|
static void domain_sslstart(void);
|
||||||
|
|
||||||
|
@ -47,6 +48,7 @@ static struct {
|
||||||
{ "static", configure_handler },
|
{ "static", configure_handler },
|
||||||
{ "dynamic", configure_handler },
|
{ "dynamic", configure_handler },
|
||||||
{ "ssl_cipher", configure_ssl_cipher },
|
{ "ssl_cipher", configure_ssl_cipher },
|
||||||
|
{ "ssl_dhparam", configure_ssl_dhparam },
|
||||||
{ "spdy_idle_time", configure_spdy_idle_time },
|
{ "spdy_idle_time", configure_spdy_idle_time },
|
||||||
{ "domain", configure_domain },
|
{ "domain", configure_domain },
|
||||||
{ "chroot", configure_chroot },
|
{ "chroot", configure_chroot },
|
||||||
|
@ -172,6 +174,35 @@ configure_ssl_cipher(char **argv)
|
||||||
return (KORE_RESULT_OK);
|
return (KORE_RESULT_OK);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
configure_ssl_dhparam(char **argv)
|
||||||
|
{
|
||||||
|
BIO *bio;
|
||||||
|
|
||||||
|
if (argv[1] == NULL)
|
||||||
|
return (KORE_RESULT_ERROR);
|
||||||
|
|
||||||
|
if (ssl_dhparam != NULL) {
|
||||||
|
kore_debug("duplicate ssl_dhparam directive specified");
|
||||||
|
return (KORE_RESULT_ERROR);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((bio = BIO_new_file(argv[1], "r")) == NULL) {
|
||||||
|
kore_debug("%s did not exist", argv[1]);
|
||||||
|
return (KORE_RESULT_ERROR);
|
||||||
|
}
|
||||||
|
|
||||||
|
ssl_dhparam = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
||||||
|
BIO_free(bio);
|
||||||
|
|
||||||
|
if (ssl_dhparam == NULL) {
|
||||||
|
kore_debug("PEM_read_bio_DHparams(): %s", ssl_errno_s);
|
||||||
|
return (KORE_RESULT_ERROR);
|
||||||
|
}
|
||||||
|
|
||||||
|
return (KORE_RESULT_OK);
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
configure_spdy_idle_time(char **argv)
|
configure_spdy_idle_time(char **argv)
|
||||||
{
|
{
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
|
|
||||||
struct kore_domain_h domains;
|
struct kore_domain_h domains;
|
||||||
struct kore_domain *primary_dom = NULL;
|
struct kore_domain *primary_dom = NULL;
|
||||||
|
DH *ssl_dhparam = NULL;
|
||||||
|
|
||||||
void
|
void
|
||||||
kore_domain_init(void)
|
kore_domain_init(void)
|
||||||
|
@ -72,6 +73,11 @@ kore_domain_sslstart(struct kore_domain *dom)
|
||||||
if (!SSL_CTX_check_private_key(dom->ssl_ctx))
|
if (!SSL_CTX_check_private_key(dom->ssl_ctx))
|
||||||
fatal("Public/Private key for %s do not match", dom->domain);
|
fatal("Public/Private key for %s do not match", dom->domain);
|
||||||
|
|
||||||
|
if (ssl_dhparam != NULL) {
|
||||||
|
SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam);
|
||||||
|
SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE);
|
||||||
|
}
|
||||||
|
|
||||||
SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||||
SSL_CTX_set_cipher_list(dom->ssl_ctx, kore_ssl_cipher_list);
|
SSL_CTX_set_cipher_list(dom->ssl_ctx, kore_ssl_cipher_list);
|
||||||
SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
||||||
|
|
Loading…
Reference in New Issue