This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "sfcb - Small Footprint CIM Broker".
The branch, master_1.3 has been updated
via 1afe5a3e6bf4c012e232bb0b87ccda55e3ccfdac (commit)
from 0851a9d054d3cf950977a03cfa796665a35ab11f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1afe5a3e6bf4c012e232bb0b87ccda55e3ccfdac
Author: Dave Heller <hel...@us...>
Date: Wed Oct 23 21:06:41 2013 -0400
[sfcb-tix:#86] Support configurable SSL Diffie Hellman parameters file
-----------------------------------------------------------------------
Summary of changes:
control.c | 1 +
httpAdapter.c | 24 ++++++++++++++++++++++++
sfcb.cfg.pre.in | 11 +++++++++++
3 files changed, 36 insertions(+), 0 deletions(-)
diff --git a/control.c b/control.c
index bc40e5c..369399e 100644
--- a/control.c
+++ b/control.c
@@ -109,6 +109,7 @@ static Control init[] = {
{"sslKeyFilePath", 0, SFCB_CONFDIR "/file.pem"},
{"sslCertificateFilePath", 0, SFCB_CONFDIR "/server.pem"},
{"sslCiphers", 0, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"},
+ {"sslDhParamsFilePath", 0, NULL},
{"registrationDir", 0, SFCB_STATEDIR "/registration"},
{"providerDirs", 3, SFCB_LIBDIR " " CMPI_LIBDIR " " LIBDIR}, /* 3: unstripped */
diff --git a/httpAdapter.c b/httpAdapter.c
index 01397dc..8891e92 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -1700,6 +1700,7 @@ initSSL()
*fnk,
*fnt,
*fnl,
+ *fdhp,
*sslCiphers;
int rc;
@@ -1757,6 +1758,29 @@ initSSL()
if (SSL_CTX_set_cipher_list(ctx, sslCiphers) != 1)
intSSLerror("Error setting cipher list (no valid ciphers)");
+#if (defined HEADER_DH_H && !defined OPENSSL_NO_DH)
+ /*
+ * Set DH parameters file for ephemeral key generation
+ */
+ getControlChars("sslDhParamsFilePath", &fdhp);
+ if (fdhp) {
+ _SFCB_TRACE(1, ("--- sslDhParamsFilePath = %s", fdhp));
+ BIO *dhpbio = BIO_new_file(fdhp, "r");
+ DH *dh_tmp = PEM_read_bio_DHparams(dhpbio, NULL, NULL, NULL);
+ BIO_free(dhpbio);
+ if (dh_tmp) {
+ SSL_CTX_set_tmp_dh(ctx, dh_tmp);
+ DH_free(dh_tmp);
+ } else {
+ unsigned long sslqerr = ERR_get_error();
+ mlogf(M_ERROR,M_SHOW,"--- Failure reading DH params file: %s (%s)\n",
+ fdhp, sslqerr != 0 ? ERR_error_string(sslqerr, NULL) :
+ "unknown openssl error");
+ intSSLerror("Error setting DH params for SSL");
+ }
+ }
+#endif // HEADER_DH_H
+
sslReloadRequested = 0;
}
#endif // USE_SSL
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index 55057ef..f3f8f6e 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -208,6 +208,17 @@ certificateAuthLib: sfcCertificateAuthentication
## weak ciphers.
sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
+## Optionally configure a DH parameters file for ephemeral key generation.
+## See man SSL_CTX_set_tmp_dh_callback(3) for details. The value should be
+## the full path to the file. Note that ephemeral key generation will still
+## proceed, where applicable, without this file; it is only required when the
+## user desires a key length greater than the (openssl) default. If this
+## value is not set, no DH parameters file is configured. If the value is set
+## but the file is unreadable or contains bad data, and https is configured,
+## SFCB will abort. The data is expected to be in PEM format.
+## Default is: not set
+#sslDhParamsFilePath: @sysconfdir@/sfcb/dh_param_file.pem
+
##---------------------------------- UDS --------------------------------------
## These options only apply if configured with --enable-uds
hooks/post-receive
--
sfcb - Small Footprint CIM Broker
|
