This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "sfcb - Small Footprint CIM Broker".
The branch, master has been updated
via 75a18c1ac51fa6a8fa9684168e010588312bfc60 (commit)
from 745f4b0f678c54e41236b77fcd7b9fee6c9f9898 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 75a18c1ac51fa6a8fa9684168e010588312bfc60
Author: Dave Heller <hel...@us...>
Date: Wed Oct 23 20:29:13 2013 -0400
[sfcb-tix:#86] Support configurable SSL Diffie Hellman parameters file
-----------------------------------------------------------------------
Summary of changes:
control.c | 1 +
httpAdapter.c | 24 ++++++++++++++++++++++++
sfcb.cfg.pre.in | 11 +++++++++++
3 files changed, 36 insertions(+), 0 deletions(-)
diff --git a/control.c b/control.c
index f1dc7de..2ae5e8a 100644
--- a/control.c
+++ b/control.c
@@ -117,6 +117,7 @@ static Control init[] = {
{"sslCertificateFilePath", CTL_STRING, SFCB_CONFDIR "/server.pem", {0}},
{"sslCertList", CTL_STRING, SFCB_CONFDIR "/clist.pem", {0}},
{"sslCiphers", CTL_STRING, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", {0}},
+ {"sslDhParamsFilePath", CTL_STRING, NULL, {0}},
{"registrationDir", CTL_STRING, SFCB_STATEDIR "/registration", {0}},
{"providerDirs", CTL_USTRING, SFCB_LIBDIR " " CMPI_LIBDIR " " LIBDIR, {0}},
diff --git a/httpAdapter.c b/httpAdapter.c
index 6aee6f4..8a11ee3 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -2015,6 +2015,7 @@ initSSL()
*fnt,
*fnl,
*fcert,
+ *fdhp,
*sslCiphers;
int rc;
@@ -2074,6 +2075,29 @@ initSSL()
if (SSL_CTX_set_cipher_list(ctx, sslCiphers) != 1)
intSSLerror("Error setting cipher list (no valid ciphers)");
+#if (defined HEADER_DH_H && !defined OPENSSL_NO_DH)
+ /*
+ * Set DH parameters file for ephemeral key generation
+ */
+ getControlChars("sslDhParamsFilePath", &fdhp);
+ if (fdhp) {
+ _SFCB_TRACE(1, ("--- sslDhParamsFilePath = %s", fdhp));
+ BIO *dhpbio = BIO_new_file(fdhp, "r");
+ DH *dh_tmp = PEM_read_bio_DHparams(dhpbio, NULL, NULL, NULL);
+ BIO_free(dhpbio);
+ if (dh_tmp) {
+ SSL_CTX_set_tmp_dh(ctx, dh_tmp);
+ DH_free(dh_tmp);
+ } else {
+ unsigned long sslqerr = ERR_get_error();
+ mlogf(M_ERROR,M_SHOW,"--- Failure reading DH params file: %s (%s)\n",
+ fdhp, sslqerr != 0 ? ERR_error_string(sslqerr, NULL) :
+ "unknown openssl error");
+ intSSLerror("Error setting DH params for SSL");
+ }
+ }
+#endif // HEADER_DH_H
+
sslReloadRequested = 0;
}
#endif // USE_SSL
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index 325d83d..f61d8df 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -271,6 +271,17 @@ certificateAuthLib: sfcCertificateAuthentication
## weak ciphers.
sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
+## Optionally configure a DH parameters file for ephemeral key generation.
+## See man SSL_CTX_set_tmp_dh_callback(3) for details. The value should be
+## the full path to the file. Note that ephemeral key generation will still
+## proceed, where applicable, without this file; it is only required when the
+## user desires a key length greater than the (openssl) default. If this
+## value is not set, no DH parameters file is configured. If the value is set
+## but the file is unreadable or contains bad data, and https is configured,
+## SFCB will abort. The data is expected to be in PEM format.
+## Default is: not set
+#sslDhParamsFilePath: @sysconfdir@/sfcb/dh_param_file.pem
+
##---------------------------------- UDS --------------------------------------
## These options only apply if configured with --enable-uds
hooks/post-receive
--
sfcb - Small Footprint CIM Broker
|
