Here is a minor revision of yesterday's patch. From a security standpoint
either will do the job, but this version avoids a few unnecessary operations.
(If SSL_OP_SINGLE_DH_USE is set before calling SSL_CTX_set_tmp_dh()
the latter will refrain from generating a Y_s right away.)

About testing: I've been using

openssl s_client -connect imap:993 -debug -cipher DHE-RSA-AES256-SHA256

to look at the ServerKeyExchange message (the one after the server certificate).
This contains three values: p, g, and Y_s. p and g are straight out of the
DH parameter file, while Y_s changes on every connection (with either
version of my patch) or considerably less often (without my patch).
Turn on SSL_OP_SINGLE_DH_USE to prevent reuse of DH keys.

This setting is recommended by the OpenSSL developers. It may have a slight
performance impact on every connection but the additional peace of mind it
provides should be more than worth it.
--- a/perdition/ssl.c
+++ b/perdition/ssl.c
@@ -572,6 +572,7 @@
 					VANESSA_LOGGER_ERR_UNSAFE("could not read DH params from cert file \"%s\"", dhfile);
 				}
 			} else {
+				SSL_CTX_set_options(ssl_ctx, SSL_OP_SINGLE_DH_USE);
 				if (1 != SSL_CTX_set_tmp_dh(ssl_ctx, dh)) {
 					PERDITION_DEBUG_SSL_ERR("SSL_CTX_set_tmp_dh");
 					VANESSA_LOGGER_ERR_UNSAFE

Reply via email to