From e6ee3569256654957d3550b2e8a32e1e911ca61c Mon Sep 17 00:00:00 2001
From: Tom Li <biergaizi2009@gmail.com>
Date: Mon, 2 Feb 2015 17:37:15 +0800
Subject: [PATCH 1/8] tls: respect the order of specified ciphers.

Signed-off-by: Tom Li <biergaizi2009@gmail.com>
---
 plugins/tls | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/plugins/tls b/plugins/tls
index c04107c..21ef474 100644
--- a/plugins/tls
+++ b/plugins/tls
@@ -94,7 +94,8 @@ sub init {
                                         SSL_key_file    => $self->tls_key,
                                         SSL_ca_file     => $self->tls_ca,
                                         SSL_cipher_list => $self->tls_ciphers,
-                                        SSL_server      => 1
+                                        SSL_server      => 1,
+                                        SSL_honor_cipher_order => 1
                                        )
       or die "Could not create SSL context: $!";
 
@@ -195,6 +196,7 @@ sub _convert_to_ssl {
                                        SSL_cipher_list => $self->tls_ciphers,
                                        SSL_server      => 1,
                                        SSL_reuse_ctx   => $self->ssl_context,
+                                       SSL_honor_cipher_order => 1
                                       )
           or die "Could not create SSL socket: $!";
 
@@ -295,6 +297,7 @@ sub upgrade_socket {
                 SSL_startHandshake => 0,
                 SSL_server         => 1,
                 SSL_reuse_ctx   => $sp->ssl_context,
+                SSL_honor_cipher_order => 1
             }
         )
         or die "Could not upgrade socket to SSL: $!";

From d5954ce249646f20151d40a4aaee0eafdca255af Mon Sep 17 00:00:00 2001
From: Tom Li <biergaizi2009@gmail.com>
Date: Mon, 2 Feb 2015 17:53:42 +0800
Subject: [PATCH 2/8] tls: adding support of dhparam.

Signed-off-by: Tom Li <biergaizi2009@gmail.com>
---
 plugins/tls | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/plugins/tls b/plugins/tls
index 21ef474..53f1d9c 100644
--- a/plugins/tls
+++ b/plugins/tls
@@ -8,9 +8,9 @@ tls - plugin to support STARTTLS
 
 # in config/plugins
 
-tls [B<cert_path priv_key_path ca_path>]
+tls [B<cert_path priv_key_path ca_path dhparam_path>]
 
-=over 4
+=over 5
 
 =item B<cert_path>
 
@@ -24,6 +24,11 @@ Path to the private key file. Default: I<ssl/qpsmtpd-server.key>
 
 Path to the certificate authority file. Default: I<ssl/qpsmtpd-ca.crt>
 
+=item B<dhparam_path>
+
+Path to the DH parameter file if you want Diffie-Hellman key exchange.
+Default: I<ssl/qpsmtpd-dhparam.pem>
+
 =back
 
 =head1 DESCRIPTION
@@ -66,19 +71,28 @@ use IO::Socket::SSL 0.98;
 use Qpsmtpd::Constants;
 
 sub init {
-    my ($self, $qp, $cert, $key, $ca) = @_;
+    my ($self, $qp, $cert, $key, $ca, $dhparam) = @_;
     my $dir = -d 'ssl' ? 'ssl' : 'config/ssl';
     $cert ||= "$dir/qpsmtpd-server.crt";
     $key  ||= "$dir/qpsmtpd-server.key";
     $ca   ||= "$dir/qpsmtpd-ca.crt";
+    $dhparam ||= "$dir/qpsmtpd-dhparam.pem";
     unless (-f $cert && -f $key && -f $ca) {
         $self->log(LOGERROR,
                    "Cannot locate cert/key!  Run plugins/tls_cert to generate");
         return;
     }
+    unless (-f $dhparam) {
+        $dhparam = "";
+        $self->log(LOGINFO,
+                   "Cannot locate dhparam, possible DHE algorithms will be unavailable.");
+        $self->log(LOGINFO,
+                   "The encryption strength will decline que to lack of Forward Secrecy.");
+    }
     $self->tls_cert($cert);
     $self->tls_key($key);
     $self->tls_ca($ca);
+    $self->tls_dhparam($dhparam);
     $self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
 
     $self->log(LOGDEBUG, "ciphers: " . $self->tls_ciphers);
@@ -93,6 +107,7 @@ sub init {
                                         SSL_cert_file   => $self->tls_cert,
                                         SSL_key_file    => $self->tls_key,
                                         SSL_ca_file     => $self->tls_ca,
+					SSL_dh_file     => $self->tls_dhparam,
                                         SSL_cipher_list => $self->tls_ciphers,
                                         SSL_server      => 1,
                                         SSL_honor_cipher_order => 1
@@ -193,6 +208,7 @@ sub _convert_to_ssl {
                                        SSL_cert_file   => $self->tls_cert,
                                        SSL_key_file    => $self->tls_key,
                                        SSL_ca_file     => $self->tls_ca,
+				       SSL_dh_file     => $self->tls_dhparam,
                                        SSL_cipher_list => $self->tls_ciphers,
                                        SSL_server      => 1,
                                        SSL_reuse_ctx   => $self->ssl_context,
@@ -236,6 +252,12 @@ sub tls_ca {
     $self->{_tls_ca};
 }
 
+sub tls_dhparam {
+    my $self = shift;
+    @_ and $self->{_tls_dhparam} = shift;
+    $self->{_tls_dhparam};
+}
+
 sub tls_ciphers {
     my $self = shift;
     @_ and $self->{_tls_ciphers} = shift;
@@ -293,6 +315,7 @@ sub upgrade_socket {
                 SSL_cert_file   => $sp->tls_cert,
                 SSL_key_file    => $sp->tls_key,
                 SSL_ca_file     => $sp->tls_ca,
+                SSL_dh_file     => $self->tls_dhparam,
                 SSL_cipher_list => $sp->tls_ciphers,
                 SSL_startHandshake => 0,
                 SSL_server         => 1,

From acbbf668062e3cc491dd7fb64c644645ec2b684d Mon Sep 17 00:00:00 2001
From: Tom Li <biergaizi2009@gmail.com>
Date: Mon, 2 Feb 2015 17:55:40 +0800
Subject: [PATCH 3/8] tls_cert: adding dhparam generating.

Signed-off-by: Tom Li <biergaizi2009@gmail.com>
---
 plugins/tls_cert | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/plugins/tls_cert b/plugins/tls_cert
index 4e34506..b1afde1 100644
--- a/plugins/tls_cert
+++ b/plugins/tls_cert
@@ -62,6 +62,7 @@ system('openssl', 'req', '-config', $CAfilename, '-new', '-x509',
 my $SERVER_key = 'ssl/qpsmtpd-server.key';
 my $SERVER_csr = 'ssl/qpsmtpd-server.csr';
 my $SERVER_crt = 'ssl/qpsmtpd-server.crt';
+my $SERVER_dhparam = 'ssl/qpsmtpd-server.dhparam';
 
 my ($SERVER, $SERVERfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1);
 print ${SERVER} return_cfg($opts{OU});
@@ -94,6 +95,9 @@ system('openssl', 'x509', '-extfile', $SIGNfilename, '-days', (365*2),
 	'-req', '-out', $SERVER_crt) == 0
     or die "Cannot sign cert: $?";
 
+system('openssl', 'dhparam', '-out', '$SERVER_dhparam', 2048) == 0
+    or die "Cannot create server dhparam: $?";
+
 exit(0);
 	
 sub return_cfg {

From 2e2e6c70c65c3b5d24248678424e4074d0f322f8 Mon Sep 17 00:00:00 2001
From: Tom Li <biergaizi2009@gmail.com>
Date: Mon, 2 Feb 2015 18:19:13 +0800
Subject: [PATCH 4/8] tls: style fixes.

Signed-off-by: Tom Li <biergaizi2009@gmail.com>
---
 plugins/tls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/tls b/plugins/tls
index 53f1d9c..cccf3fd 100644
--- a/plugins/tls
+++ b/plugins/tls
@@ -107,7 +107,7 @@ sub init {
                                         SSL_cert_file   => $self->tls_cert,
                                         SSL_key_file    => $self->tls_key,
                                         SSL_ca_file     => $self->tls_ca,
-					SSL_dh_file     => $self->tls_dhparam,
+                                        SSL_dh_file     => $self->tls_dhparam,
                                         SSL_cipher_list => $self->tls_ciphers,
                                         SSL_server      => 1,
                                         SSL_honor_cipher_order => 1
@@ -208,7 +208,7 @@ sub _convert_to_ssl {
                                        SSL_cert_file   => $self->tls_cert,
                                        SSL_key_file    => $self->tls_key,
                                        SSL_ca_file     => $self->tls_ca,
-				       SSL_dh_file     => $self->tls_dhparam,
+                                       SSL_dh_file     => $self->tls_dhparam,
                                        SSL_cipher_list => $self->tls_ciphers,
                                        SSL_server      => 1,
                                        SSL_reuse_ctx   => $self->ssl_context,

From 845760969bb22b81980884f197121bab885752fc Mon Sep 17 00:00:00 2001
From: Tom Li <biergaizi2009@gmail.com>
Date: Mon, 2 Feb 2015 18:30:54 +0800
Subject: [PATCH 5/8] tls: fix a typo.

Signed-off-by: Tom Li <biergaizi2009@gmail.com>
---
 plugins/tls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/tls b/plugins/tls
index cccf3fd..7712a54 100644
--- a/plugins/tls
+++ b/plugins/tls
@@ -87,7 +87,7 @@ sub init {
         $self->log(LOGINFO,
                    "Cannot locate dhparam, possible DHE algorithms will be unavailable.");
         $self->log(LOGINFO,
-                   "The encryption strength will decline que to lack of Forward Secrecy.");
+                   "The encryption strength will decline due to lack of Forward Secrecy.");
     }
     $self->tls_cert($cert);
     $self->tls_key($key);

From edea4c239d04a5fd1216d9c5571d6729aed46d98 Mon Sep 17 00:00:00 2001
From: Tom Li <biergaizi2009@gmail.com>
Date: Mon, 2 Feb 2015 18:36:51 +0800
Subject: [PATCH 6/8] tls_cert: unified cert name between tls and tls_cert.

Signed-off-by: Tom Li <biergaizi2009@gmail.com>
---
 plugins/tls_cert | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/tls_cert b/plugins/tls_cert
index b1afde1..7101694 100644
--- a/plugins/tls_cert
+++ b/plugins/tls_cert
@@ -62,7 +62,7 @@ system('openssl', 'req', '-config', $CAfilename, '-new', '-x509',
 my $SERVER_key = 'ssl/qpsmtpd-server.key';
 my $SERVER_csr = 'ssl/qpsmtpd-server.csr';
 my $SERVER_crt = 'ssl/qpsmtpd-server.crt';
-my $SERVER_dhparam = 'ssl/qpsmtpd-server.dhparam';
+my $SERVER_dhparam = 'ssl/qpsmtpd-dhparam.pem';
 
 my ($SERVER, $SERVERfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1);
 print ${SERVER} return_cfg($opts{OU});

From 2cc6d3f93843ccfd472518eb74cf27514418dee6 Mon Sep 17 00:00:00 2001
From: Tom Li <biergaizi2009@gmail.com>
Date: Mon, 2 Feb 2015 20:50:37 +0800
Subject: [PATCH 7/8] tls: checking if dhparam is empty, using "undef" instead
 of "" for clarity.

Signed-off-by: Tom Li <biergaizi2009@gmail.com>
---
 plugins/tls | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/plugins/tls b/plugins/tls
index 7712a54..b6d4a29 100644
--- a/plugins/tls
+++ b/plugins/tls
@@ -82,10 +82,10 @@ sub init {
                    "Cannot locate cert/key!  Run plugins/tls_cert to generate");
         return;
     }
-    unless (-f $dhparam) {
-        $dhparam = "";
+    unless (-f $dhparam && -s $dhparam) {
+        $dhparam = undef;
         $self->log(LOGINFO,
-                   "Cannot locate dhparam, possible DHE algorithms will be unavailable.");
+                   "dhparam is not exist or empty, possible DHE ciphers will be unavailable.");
         $self->log(LOGINFO,
                    "The encryption strength will decline due to lack of Forward Secrecy.");
     }

From a44c70232c544ae4ea9312ca79ac17bf406b3a3f Mon Sep 17 00:00:00 2001
From: Tom Li <biergaizi2009@gmail.com>
Date: Tue, 3 Feb 2015 03:48:39 +0800
Subject: [PATCH 8/8] tls_cert: fix a misused quotes

Signed-off-by: Tom Li <biergaizi2009@gmail.com>
---
 plugins/tls_cert | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/tls_cert b/plugins/tls_cert
index 7101694..f595638 100644
--- a/plugins/tls_cert
+++ b/plugins/tls_cert
@@ -95,7 +95,7 @@ system('openssl', 'x509', '-extfile', $SIGNfilename, '-days', (365*2),
 	'-req', '-out', $SERVER_crt) == 0
     or die "Cannot sign cert: $?";
 
-system('openssl', 'dhparam', '-out', '$SERVER_dhparam', 2048) == 0
+system('openssl', 'dhparam', '-out', $SERVER_dhparam, 2048) == 0
     or die "Cannot create server dhparam: $?";
 
 exit(0);