From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Wed, 27 Jun 2018 06:10:39 +0000 (+0300)
Subject: lib-ssl-iostream: Turn on SSL_OP_SINGLE_DH_USE
X-Git-Tag: 2.3.9~1667
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7482de0af1df827402edd44d3c2e9c317354d017;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Turn on SSL_OP_SINGLE_DH_USE

Improves forward secrecy in case a DH cipher is used.
---

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index befc555b40..7cdc680d81 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -565,6 +565,11 @@ ssl_proxy_ctx_set_crypto_params(SSL_CTX *ssl_ctx,
 		EC_KEY_free(ecdh);
 	}
 #endif
+#endif
+#ifdef SSL_OP_SINGLE_DH_USE
+	/* Improves forward secrecy with DH parameters, especially if the
+	   parameters used aren't strong primes. See OpenSSL manual. */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_SINGLE_DH_USE);
 #endif
 	return 0;
 }