lib-ssl-iostream: Turn on SSL_OP_SINGLE_DH_USE

Improves forward secrecy in case a DH cipher is used.
dovecot · Aug 7, 2018 · 4b13e3e · 4b13e3e
1 parent b25ab36
commit 4b13e3e
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -559,6 +559,11 @@ ssl_proxy_ctx_set_crypto_params(SSL_CTX *ssl_ctx,
 		EC_KEY_free(ecdh);
 	}
 #endif
+#endif
+#ifdef SSL_OP_SINGLE_DH_USE
+	/* Improves forward secrecy with DH parameters, especially if the
+	   parameters used aren't strong primes. See OpenSSL manual. */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_SINGLE_DH_USE);
 #endif
 	return 0;
 }