From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Wed, 27 Jun 2018 06:10:39 +0000 (+0300)
Subject: lib-ssl-iostream: Turn on SSL_OP_SINGLE_DH_USE
X-Git-Tag: 2.3.3.rc1~162
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4b13e3ead23300a52157272f34f625598747ee7a;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Turn on SSL_OP_SINGLE_DH_USE

Improves forward secrecy in case a DH cipher is used.
---

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index bf5aa25d61..c4bfb19aa9 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -559,6 +559,11 @@ ssl_proxy_ctx_set_crypto_params(SSL_CTX *ssl_ctx,
 		EC_KEY_free(ecdh);
 	}
 #endif
+#endif
+#ifdef SSL_OP_SINGLE_DH_USE
+	/* Improves forward secrecy with DH parameters, especially if the
+	   parameters used aren't strong primes. See OpenSSL manual. */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_SINGLE_DH_USE);
 #endif
 	return 0;
 }