nghttpd: Add --dh-param-file option to support DHE ciphers

2014-06-28 15:43:06 +09:00 · 2014-06-28 15:43:06 +09:00 · 4e81a34146
parent 9fec34968b
commit 4e81a34146
3 changed files with 32 additions and 0 deletions
--- a/src/HttpServer.cc
+++ b/src/HttpServer.cc
@ -1694,6 +1694,28 @@ int HttpServer::run()

 #endif // OPENSSL_NO_EC

+    if(!config_->dh_param_file.empty()) {
+      // Read DH parameters from file
+      auto bio = BIO_new_file(config_->dh_param_file.c_str(), "r");
+      if(bio == nullptr) {
+        std::cerr << "BIO_new_file() failed: "
+                  << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
+        return -1;
+      }
+
+      auto dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
+
+      if(dh == nullptr) {
+        std::cerr << "PEM_read_bio_DHparams() failed: "
+                  << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
+        return -1;
+      }
+
+      SSL_CTX_set_tmp_dh(ssl_ctx, dh);
+      DH_free(dh);
+      BIO_free(bio);
+    }
+
    if(SSL_CTX_use_PrivateKey_file(ssl_ctx,
                                   config_->private_key_file.c_str(),
                                   SSL_FILETYPE_PEM) != 1) {
--- a/src/HttpServer.h
+++ b/src/HttpServer.h
@ -63,6 +63,7 @@ struct Config {
  std::string host;
  std::string private_key_file;
  std::string cert_file;
+  std::string dh_param_file;
  timeval stream_read_timeout;
  timeval stream_write_timeout;
  void *data_ptr;
--- a/src/nghttpd.cc
+++ b/src/nghttpd.cc
@ -133,6 +133,10 @@ Options:
                     Set the number of worker threads.
                     Default: 1
  -e, --error-gzip   Make error response gzipped.
+  --dh-param-file=<PATH>
+                     Path to  file that contains DH  parameters in PEM
+                     format.  Without  this option, DHE  cipher suites
+                     are not available.
  --version          Display version information and exit.
  -h, --help         Display this help and exit.)"
      << std::endl;
@ -159,6 +163,7 @@ int main(int argc, char **argv)
      {"no-tls", no_argument, &flag, 1},
      {"color", no_argument, &flag, 2},
      {"version", no_argument, &flag, 3},
+      {"dh-param-file", required_argument, &flag, 4},
      {nullptr, 0, nullptr, 0}
    };
    int option_index = 0;
@ -233,6 +238,10 @@ int main(int argc, char **argv)
        // version
        print_version(std::cout);
        exit(EXIT_SUCCESS);
+      case 4:
+        // dh-param-file
+        config.dh_param_file = optarg;
+        break;
      }
      break;
    default: