[fedor] enable forward secrecy thanks to Diffie-Hellman parameters. Fixes #7555
This commit is contained in:
Yann Leboulanger
parent
7d72b8089a
commit
d4c2fd4da8
|
|
@ -0,0 +1,18 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIICCAKCAgEA+hRyUsFN4VpJ1O8JLcCo/VWr19k3BCgJ4uk+d+KhehjdRqNDNyOQ
|
||||
l/MOyQNQfWXPeGKmOmIig6Ev/nm6Nf9Z2B1h3R4hExf+zTiHnvVPeRBhjdQi81rt
|
||||
Xeoh6TNrSBIKIHfUJWBh3va0TxxjQIs6IZOLeVNRLMqzeylWqMf49HsIXqbcokUS
|
||||
Vt1BkvLdW48j8PPv5DsKRN3tloTxqDJGo9tKvj1Fuk74A+Xda1kNhB7KFlqMyN98
|
||||
VETEJ6c7KpfOo30mnK30wqw3S8OtaIR/maYX72tGOno2ehFDkq3pnPtEbD2CScxc
|
||||
alJC+EL7RPk5c/tgeTvCngvc1KZn92Y//EI7G9tPZtylj2b56sHtMftIoYJ9+ODM
|
||||
sccD5Piz/rejE3Ome8EOOceUSCYAhXn8b3qvxVI1ddd1pED6FHRhFvLrZxFvBEM9
|
||||
ERRMp5QqOaHJkM+Dxv8Cj6MqrCbfC4u+ZErxodzuusgDgvZiLF22uxMZbobFWyte
|
||||
OvOzKGtwcTqO/1wV5gKkzu1ZVswVUQd5Gg8lJicwqRWyyNRczDDoG9jVDxmogKTH
|
||||
AaqLulO7R8Ifa1SwF2DteSGVtgWEN8gDpN3RBmmPTDngyF2DHb5qmpnznwtFKdTL
|
||||
KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
These are the 4096 bit DH parameters from "Assigned Number for SKIP Protocols"
|
||||
(http://www.skip-vpn.org/spec/numbers.html).
|
||||
See there for how they were generated.
|
||||
Note that g is not a generator, but this is not a problem since p is a safe prime.
|
||||
|
|
@ -49,6 +49,8 @@ if PYOPENSSL_PRESENT:
|
|||
TYPE_DSA = crypto.TYPE_DSA
|
||||
|
||||
SELF_SIGNED_CERTIFICATE = 'localcert'
|
||||
DH_PARAMS = 'dh_params.pem'
|
||||
DEFAULT_DH_PARAMS = 'dh4096.pem'
|
||||
|
||||
def default_callback(connection, certificate, error_num, depth, return_code):
|
||||
log.info("certificate: %s" % certificate)
|
||||
|
|
@ -106,6 +108,25 @@ def get_context(fingerprint, verify_cb=None):
|
|||
cert_name = os.path.join(gajim.MY_CERT_DIR, SELF_SIGNED_CERTIFICATE)
|
||||
ctx.use_privatekey_file (cert_name + '.pkey')
|
||||
ctx.use_certificate_file(cert_name + '.cert')
|
||||
|
||||
# Try to load Diffie-Hellman parameters.
|
||||
# First try user DH parameters, if this fails load the default DH parameters
|
||||
dh_params_name = os.path.join(gajim.MY_CERT_DIR, DH_PARAMS)
|
||||
try:
|
||||
with open(dh_params_name, "r") as dh_params_file:
|
||||
ctx.load_tmp_dh(dh_params_name)
|
||||
except IOError as err:
|
||||
log.warn('Unable to load DH parameter file: %s. You should generate it by using this command : "openssl dhparam 4096 -out ~/.local/share/gajim/dh_params.pem". This command take about 15 minutes to complete.' % dh_params_name)
|
||||
default_dh_params_name = os.path.join(common.gajim.DATA_DIR,
|
||||
'other', DEFAULT_DH_PARAMS)
|
||||
try:
|
||||
with open(default_dh_params_name, "r") as default_dh_params_file:
|
||||
ctx.load_tmp_dh(default_dh_params_name)
|
||||
except IOError as err:
|
||||
log.error('Unable to load default DH parameter file: %s , %s'
|
||||
% (default_dh_params_name, err))
|
||||
raise
|
||||
|
||||
store = ctx.get_cert_store()
|
||||
for f in os.listdir(os.path.expanduser(gajim.MY_PEER_CERTS_PATH)):
|
||||
load_cert_file(os.path.join(os.path.expanduser(
|
||||
|
|
|
|||
Loading…
Reference in New Issue