From a57b620090bf63a65f16624dcaeb883b4f4a0346 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 14 Jan 2016 21:13:01 +0000 Subject: [PATCH] OpenSSL: Default the SINGLE_DH_USE option flag set --- doc/doc-docbook/spec.xfpt | 2 +- doc/doc-txt/ChangeLog | 4 ++++ src/src/tls-openssl.c | 3 +++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 44623a550..aa1e67712 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -15431,7 +15431,7 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)& transport driver. -.option openssl_options main "string list" "+no_sslv2" +.option openssl_options main "string list" "+no_sslv2 +single_dh_use" .cindex "OpenSSL "compatibility options" This option allows an administrator to adjust the SSL options applied by OpenSSL to connections. It is given as a space-separated list of items, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 52d4aeb56..09437e40e 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -144,6 +144,10 @@ JH/34 Bug 1192: replace the embedded copy of PolarSSL RSA routines in the DKIM support, by using OpenSSL or GnuTLS library ones. This means DKIM is only supported when built with TLS support. +JH/35 Require SINGLE_DH_USE by default in OpenSSL (main config option + openssl_options), for security. OpenSSL forces this from version 1.1.0 + server-side so match that on older versions. + Exim version 4.86 ----------------- diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 9944a8f60..3ecb6cb3f 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -2751,6 +2751,9 @@ result = 0L; #ifdef SSL_OP_NO_SSLv2 result |= SSL_OP_NO_SSLv2; #endif +#ifdef SSL_OP_SINGLE_DH_USE +result |= SSL_OP_SINGLE_DH_USE; +#endif if (option_spec == NULL) { -- 2.30.2