Hi Perdition folks--
I just noticed that when i operate perdition as a server offering TLS,
clients are unable to select an ephemeral Diffie-Hellman key exchange
mechanism (also known as EDH or DHE). Since DHE is the most
widely-supported TLS key exchange mechanism to provide Perfect Forward
Secrecy (PFS), it seems like something perdition might want.
The patch below enables DHE support for perdition. By default, it looks
for a PEM-encoded DH PARAMETERS section in the server's certificate
file. I've also added a configuration option (--ssl_dh_params_file)
which can be used to specify a separate file for the DH params if
desired.
With the patch and --ssl_dh_params_file explicitly declared, perdition
will throw an error if no DH parameters could be loaded. if
--ssl_dh_params_file isn't declared, it just tries to load DH params
From the cert file and carries on without DHE if no params can be found.
Another alternative could be to embed a default set of DH parameters
into perdition itself, if no parameters can be loaded. I didn't
implement that, but could do so if it is desired. Please let me know.
Also attached is a simple test script (reliant on gnutls-bin for setup)
that can be run from a built perdition source tree; if the built version
of perdition supports DHE, the script will leave the user in an IMAP
session with a test server (no backend attached, basically only LOGOUT
works). If the built version of perdition doesn't work, then the script
will terminate. Either way, copious diagnostic output is produced.
I'd be happy to have this feature adopted by perdition upstream, since i
have users of perdition who actively want to configure their MUAs to use
some PFS-enabled ciphersuite.
The patch is made against changeset 913:384a78e5951a.
Please let me know if there are changes you'd like to see, or if there
is anything that i should update to make the patch more acceptable for
inclusion upstream.
Thanks for perdition,
--dkg