Add Perfect Forward Secrecy (DHE PFS) to mod_sofia

Ephemeral ECDH (ECDHE) was supported already. This patch adds Ephemeral DH (DHE). To enable it, add DH parameters into the private-key file of your server (agent.pem). For example via: openssl dhparam -out dh.pem 2048 FS-7561 #resolve
2015-05-19 12:43:43 +02:00 · 2015-05-19 12:43:43 +02:00 · 35551d1d62
parent 979c94de37
commit 35551d1d62
2 changed files with 21 additions and 2 deletions
--- a/conf/vanilla/vars.xml
+++ b/conf/vanilla/vars.xml
@ -413,8 +413,6 @@
     openssl ciphers -v 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'

     Will show you what is available in your verion of openssl.
-     Freeswitch does not support non-Elliptic Curve Diffie Hellman key 
-     exchange.  
  -->
  <X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>
  
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
@ -381,6 +381,27 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
 #if require_client_certificate
    errno = EIO;
    return -1;
+#endif
+#ifndef OPENSSL_NO_DH
+  } else {
+    BIO *bio = BIO_new_file(ti->key, "r");
+    if (bio != NULL) {
+      DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+      if (dh != NULL) {
+        if (!SSL_CTX_set_tmp_dh(tls->ctx, dh)) {
+          SU_DEBUG_1(("%s: invalid DH parameters (PFS) because %s: %s\n",
+                      "tls_init_context",
+                      ERR_reason_error_string(ERR_get_error()),
+                      ti->key));
+        } else {
+          long options = SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE;
+          options = SSL_CTX_set_options(tls->ctx, options);
+          SU_DEBUG_3(("%s\n", "tls: initialized DHE"));
+        }
+        DH_free(dh);
+      }
+      BIO_free(bio);
+    }
 #endif
  }