tls: adding support of dhparam.
Signed-off-by: Tom Li <biergaizi2009@gmail.com>
This commit is contained in:
parent
e6ee356925
commit
d5954ce249
29
plugins/tls
29
plugins/tls
@ -8,9 +8,9 @@ tls - plugin to support STARTTLS
|
|||||||
|
|
||||||
# in config/plugins
|
# in config/plugins
|
||||||
|
|
||||||
tls [B<cert_path priv_key_path ca_path>]
|
tls [B<cert_path priv_key_path ca_path dhparam_path>]
|
||||||
|
|
||||||
=over 4
|
=over 5
|
||||||
|
|
||||||
=item B<cert_path>
|
=item B<cert_path>
|
||||||
|
|
||||||
@ -24,6 +24,11 @@ Path to the private key file. Default: I<ssl/qpsmtpd-server.key>
|
|||||||
|
|
||||||
Path to the certificate authority file. Default: I<ssl/qpsmtpd-ca.crt>
|
Path to the certificate authority file. Default: I<ssl/qpsmtpd-ca.crt>
|
||||||
|
|
||||||
|
=item B<dhparam_path>
|
||||||
|
|
||||||
|
Path to the DH parameter file if you want Diffie-Hellman key exchange.
|
||||||
|
Default: I<ssl/qpsmtpd-dhparam.pem>
|
||||||
|
|
||||||
=back
|
=back
|
||||||
|
|
||||||
=head1 DESCRIPTION
|
=head1 DESCRIPTION
|
||||||
@ -66,19 +71,28 @@ use IO::Socket::SSL 0.98;
|
|||||||
use Qpsmtpd::Constants;
|
use Qpsmtpd::Constants;
|
||||||
|
|
||||||
sub init {
|
sub init {
|
||||||
my ($self, $qp, $cert, $key, $ca) = @_;
|
my ($self, $qp, $cert, $key, $ca, $dhparam) = @_;
|
||||||
my $dir = -d 'ssl' ? 'ssl' : 'config/ssl';
|
my $dir = -d 'ssl' ? 'ssl' : 'config/ssl';
|
||||||
$cert ||= "$dir/qpsmtpd-server.crt";
|
$cert ||= "$dir/qpsmtpd-server.crt";
|
||||||
$key ||= "$dir/qpsmtpd-server.key";
|
$key ||= "$dir/qpsmtpd-server.key";
|
||||||
$ca ||= "$dir/qpsmtpd-ca.crt";
|
$ca ||= "$dir/qpsmtpd-ca.crt";
|
||||||
|
$dhparam ||= "$dir/qpsmtpd-dhparam.pem";
|
||||||
unless (-f $cert && -f $key && -f $ca) {
|
unless (-f $cert && -f $key && -f $ca) {
|
||||||
$self->log(LOGERROR,
|
$self->log(LOGERROR,
|
||||||
"Cannot locate cert/key! Run plugins/tls_cert to generate");
|
"Cannot locate cert/key! Run plugins/tls_cert to generate");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
unless (-f $dhparam) {
|
||||||
|
$dhparam = "";
|
||||||
|
$self->log(LOGINFO,
|
||||||
|
"Cannot locate dhparam, possible DHE algorithms will be unavailable.");
|
||||||
|
$self->log(LOGINFO,
|
||||||
|
"The encryption strength will decline que to lack of Forward Secrecy.");
|
||||||
|
}
|
||||||
$self->tls_cert($cert);
|
$self->tls_cert($cert);
|
||||||
$self->tls_key($key);
|
$self->tls_key($key);
|
||||||
$self->tls_ca($ca);
|
$self->tls_ca($ca);
|
||||||
|
$self->tls_dhparam($dhparam);
|
||||||
$self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
|
$self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
|
||||||
|
|
||||||
$self->log(LOGDEBUG, "ciphers: " . $self->tls_ciphers);
|
$self->log(LOGDEBUG, "ciphers: " . $self->tls_ciphers);
|
||||||
@ -93,6 +107,7 @@ sub init {
|
|||||||
SSL_cert_file => $self->tls_cert,
|
SSL_cert_file => $self->tls_cert,
|
||||||
SSL_key_file => $self->tls_key,
|
SSL_key_file => $self->tls_key,
|
||||||
SSL_ca_file => $self->tls_ca,
|
SSL_ca_file => $self->tls_ca,
|
||||||
|
SSL_dh_file => $self->tls_dhparam,
|
||||||
SSL_cipher_list => $self->tls_ciphers,
|
SSL_cipher_list => $self->tls_ciphers,
|
||||||
SSL_server => 1,
|
SSL_server => 1,
|
||||||
SSL_honor_cipher_order => 1
|
SSL_honor_cipher_order => 1
|
||||||
@ -193,6 +208,7 @@ sub _convert_to_ssl {
|
|||||||
SSL_cert_file => $self->tls_cert,
|
SSL_cert_file => $self->tls_cert,
|
||||||
SSL_key_file => $self->tls_key,
|
SSL_key_file => $self->tls_key,
|
||||||
SSL_ca_file => $self->tls_ca,
|
SSL_ca_file => $self->tls_ca,
|
||||||
|
SSL_dh_file => $self->tls_dhparam,
|
||||||
SSL_cipher_list => $self->tls_ciphers,
|
SSL_cipher_list => $self->tls_ciphers,
|
||||||
SSL_server => 1,
|
SSL_server => 1,
|
||||||
SSL_reuse_ctx => $self->ssl_context,
|
SSL_reuse_ctx => $self->ssl_context,
|
||||||
@ -236,6 +252,12 @@ sub tls_ca {
|
|||||||
$self->{_tls_ca};
|
$self->{_tls_ca};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub tls_dhparam {
|
||||||
|
my $self = shift;
|
||||||
|
@_ and $self->{_tls_dhparam} = shift;
|
||||||
|
$self->{_tls_dhparam};
|
||||||
|
}
|
||||||
|
|
||||||
sub tls_ciphers {
|
sub tls_ciphers {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
@_ and $self->{_tls_ciphers} = shift;
|
@_ and $self->{_tls_ciphers} = shift;
|
||||||
@ -293,6 +315,7 @@ sub upgrade_socket {
|
|||||||
SSL_cert_file => $sp->tls_cert,
|
SSL_cert_file => $sp->tls_cert,
|
||||||
SSL_key_file => $sp->tls_key,
|
SSL_key_file => $sp->tls_key,
|
||||||
SSL_ca_file => $sp->tls_ca,
|
SSL_ca_file => $sp->tls_ca,
|
||||||
|
SSL_dh_file => $self->tls_dhparam,
|
||||||
SSL_cipher_list => $sp->tls_ciphers,
|
SSL_cipher_list => $sp->tls_ciphers,
|
||||||
SSL_startHandshake => 0,
|
SSL_startHandshake => 0,
|
||||||
SSL_server => 1,
|
SSL_server => 1,
|
||||||
|
Loading…
Reference in New Issue
Block a user