lib-ssl-iostream: Turn on SSL_OP_SINGLE_DH_USE

author Aki Tuomi <aki.tuomi@dovecot.fi>

Wed, 27 Jun 2018 06:10:39 +0000 (09:10 +0300)

committer Aki Tuomi <aki.tuomi@dovecot.fi>

Tue, 7 Aug 2018 11:10:08 +0000 (14:10 +0300)
author Aki Tuomi <aki.tuomi@dovecot.fi>
Wed, 27 Jun 2018 06:10:39 +0000 (09:10 +0300)
committer Aki Tuomi <aki.tuomi@dovecot.fi>
Tue, 7 Aug 2018 11:10:08 +0000 (14:10 +0300)
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c

index bf5aa25d61164ae8fc150308c60dc7f9ef64d888..c4bfb19aa9c3fac7f2a6d8fbee87dd7700b2ecc3 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -559,6 +559,11 @@ ssl_proxy_ctx_set_crypto_params(SSL_CTX *ssl_ctx,
                 EC_KEY_free(ecdh);
         }
  #endif
+#endif
+#ifdef SSL_OP_SINGLE_DH_USE
+       /* Improves forward secrecy with DH parameters, especially if the
+          parameters used aren't strong primes. See OpenSSL manual. */
+       SSL_CTX_set_options(ssl_ctx, SSL_OP_SINGLE_DH_USE);
  #endif
         return 0;
  }
author	Aki Tuomi <aki.tuomi@dovecot.fi>
	Wed, 27 Jun 2018 06:10:39 +0000 (09:10 +0300)
committer	Aki Tuomi <aki.tuomi@dovecot.fi>
	Tue, 7 Aug 2018 11:10:08 +0000 (14:10 +0300)