On Fri 2013-10-25 17:21:14 -0400, Daniel Kahn Gillmor wrote:
I just noticed that when i operate perdition as a
server offering TLS,
clients are unable to select an ephemeral Diffie-Hellman key exchange
mechanism (also known as EDH or DHE). Since DHE is the most
widely-supported TLS key exchange mechanism to provide Perfect Forward
Secrecy (PFS), it seems like something perdition might want.
The patch below enables DHE support for perdition. By default, it looks
for a PEM-encoded DH PARAMETERS section in the server's certificate
file. I've also added a configuration option (--ssl_dh_params_file)
which can be used to specify a separate file for the DH params if
desired.
I now have servers running this patch in production. It is definitely
useful. I'd love to get feedback from upstream about it. If there are
questions or concerns, please share them. If there is something I could
do differently in the patch to make it more appealing for inclusion in
perdition, please let me know what i should do.
Regards,
--dkg