From: Alexander Traud Date: Tue, 19 May 2015 10:43:43 +0000 (+0200) Subject: Add Perfect Forward Secrecy (DHE PFS) to mod_sofia X-Git-Tag: v1.4.20~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=35551d1d62efce13d342c278aa591cfcfa0c413f;p=thirdparty%2Ffreeswitch.git Add Perfect Forward Secrecy (DHE PFS) to mod_sofia Ephemeral ECDH (ECDHE) was supported already. This patch adds Ephemeral DH (DHE). To enable it, add DH parameters into the private-key file of your server (agent.pem). For example via: openssl dhparam -out dh.pem 2048 FS-7561 #resolve --- diff --git a/conf/vanilla/vars.xml b/conf/vanilla/vars.xml index ecee73329d..33eaea95c3 100644 --- a/conf/vanilla/vars.xml +++ b/conf/vanilla/vars.xml @@ -413,8 +413,6 @@ openssl ciphers -v 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' Will show you what is available in your verion of openssl. - Freeswitch does not support non-Elliptic Curve Diffie Hellman key - exchange. --> diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c index 5689d582c8..976a88dede 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c @@ -381,6 +381,27 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti) #if require_client_certificate errno = EIO; return -1; +#endif +#ifndef OPENSSL_NO_DH + } else { + BIO *bio = BIO_new_file(ti->key, "r"); + if (bio != NULL) { + DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + if (dh != NULL) { + if (!SSL_CTX_set_tmp_dh(tls->ctx, dh)) { + SU_DEBUG_1(("%s: invalid DH parameters (PFS) because %s: %s\n", + "tls_init_context", + ERR_reason_error_string(ERR_get_error()), + ti->key)); + } else { + long options = SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE; + options = SSL_CTX_set_options(tls->ctx, options); + SU_DEBUG_3(("%s\n", "tls: initialized DHE")); + } + DH_free(dh); + } + BIO_free(bio); + } #endif }