byterazor/qpsmtpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

tls: adding support of dhparam.

Browse Source 
Signed-off-by: Tom Li <biergaizi2009@gmail.com>
This commit is contained in:
Tom Li 2015-02-02 17:53:42 +08:00
parent e6ee356925
commit d5954ce249
1 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
plugins/tls
View File

@ -8,9 +8,9 @@ tls - plugin to support STARTTLS
# in config/plugins # in config/plugins
tls [B<cert_path priv_key_path ca_path>] tls [B<cert_path priv_key_path ca_path dhparam_path>]
=over 4 =over 5
=item B<cert_path> =item B<cert_path>
@ -24,6 +24,11 @@ Path to the private key file. Default: I<ssl/qpsmtpd-server.key>
Path to the certificate authority file. Default: I<ssl/qpsmtpd-ca.crt> Path to the certificate authority file. Default: I<ssl/qpsmtpd-ca.crt>
=item B<dhparam_path>
Path to the DH parameter file if you want Diffie-Hellman key exchange.
Default: I<ssl/qpsmtpd-dhparam.pem>
=back =back
=head1 DESCRIPTION =head1 DESCRIPTION
@ -66,19 +71,28 @@ use IO::Socket::SSL 0.98;
use Qpsmtpd::Constants; use Qpsmtpd::Constants;
sub init { sub init {
my ($self, $qp, $cert, $key, $ca) = @_; my ($self, $qp, $cert, $key, $ca, $dhparam) = @_;
my $dir = -d 'ssl' ? 'ssl' : 'config/ssl'; my $dir = -d 'ssl' ? 'ssl' : 'config/ssl';
$cert ||= "$dir/qpsmtpd-server.crt"; $cert ||= "$dir/qpsmtpd-server.crt";
$key ||= "$dir/qpsmtpd-server.key"; $key ||= "$dir/qpsmtpd-server.key";
$ca ||= "$dir/qpsmtpd-ca.crt"; $ca ||= "$dir/qpsmtpd-ca.crt";
$dhparam ||= "$dir/qpsmtpd-dhparam.pem";
unless (-f $cert && -f $key && -f $ca) { unless (-f $cert && -f $key && -f $ca) {
$self->log(LOGERROR, $self->log(LOGERROR,
"Cannot locate cert/key! Run plugins/tls_cert to generate"); "Cannot locate cert/key! Run plugins/tls_cert to generate");
return; return;
} }
unless (-f $dhparam) {
$dhparam = "";
$self->log(LOGINFO,
"Cannot locate dhparam, possible DHE algorithms will be unavailable.");
$self->log(LOGINFO,
"The encryption strength will decline que to lack of Forward Secrecy.");
}
$self->tls_cert($cert); $self->tls_cert($cert);
$self->tls_key($key); $self->tls_key($key);
$self->tls_ca($ca); $self->tls_ca($ca);
$self->tls_dhparam($dhparam);
$self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH'); $self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
$self->log(LOGDEBUG, "ciphers: " . $self->tls_ciphers); $self->log(LOGDEBUG, "ciphers: " . $self->tls_ciphers);
@ -93,6 +107,7 @@ sub init {
SSL_cert_file => $self->tls_cert, SSL_cert_file => $self->tls_cert,
SSL_key_file => $self->tls_key, SSL_key_file => $self->tls_key,
SSL_ca_file => $self->tls_ca, SSL_ca_file => $self->tls_ca,
SSL_dh_file => $self->tls_dhparam,
SSL_cipher_list => $self->tls_ciphers, SSL_cipher_list => $self->tls_ciphers,
SSL_server => 1, SSL_server => 1,
SSL_honor_cipher_order => 1 SSL_honor_cipher_order => 1
@ -193,6 +208,7 @@ sub _convert_to_ssl {
SSL_cert_file => $self->tls_cert, SSL_cert_file => $self->tls_cert,
SSL_key_file => $self->tls_key, SSL_key_file => $self->tls_key,
SSL_ca_file => $self->tls_ca, SSL_ca_file => $self->tls_ca,
SSL_dh_file => $self->tls_dhparam,
SSL_cipher_list => $self->tls_ciphers, SSL_cipher_list => $self->tls_ciphers,
SSL_server => 1, SSL_server => 1,
SSL_reuse_ctx => $self->ssl_context, SSL_reuse_ctx => $self->ssl_context,
@ -236,6 +252,12 @@ sub tls_ca {
$self->{_tls_ca}; $self->{_tls_ca};
} }
sub tls_dhparam {
my $self = shift;
@_ and $self->{_tls_dhparam} = shift;
$self->{_tls_dhparam};
}
sub tls_ciphers { sub tls_ciphers {
my $self = shift; my $self = shift;
@_ and $self->{_tls_ciphers} = shift; @_ and $self->{_tls_ciphers} = shift;
@ -293,6 +315,7 @@ sub upgrade_socket {
SSL_cert_file => $sp->tls_cert, SSL_cert_file => $sp->tls_cert,
SSL_key_file => $sp->tls_key, SSL_key_file => $sp->tls_key,
SSL_ca_file => $sp->tls_ca, SSL_ca_file => $sp->tls_ca,
SSL_dh_file => $self->tls_dhparam,
SSL_cipher_list => $sp->tls_ciphers, SSL_cipher_list => $sp->tls_ciphers,
SSL_startHandshake => 0, SSL_startHandshake => 0,
SSL_server => 1, SSL_server => 1,