tls_ec: +prime256v1
+ +This configures which elliptical +curve parameter to use for TLS.
+umask: 077
The umask value used by various diff -pur ../cyrus-imapd-2.4.17/imap/tls.c ./imap/tls.c --- ../cyrus-imapd-2.4.17/imap/tls.c 2012-12-01 20:57:54.000000000 +0100 +++ ./imap/tls.c 2014-10-16 02:31:46.446883444 +0200 @@ -630,6 +630,7 @@ int tls_init_serverengine(const char const char *CAfile; const char *s_cert_file; const char *s_key_file; + const char *ec; int requirecert; int timeout; @@ -747,6 +748,28 @@ int tls_init_serverengine(const char /* FIXME: Load ECDH params for ECDHE suites when 0.9.9 is released */ #endif +#if (OPENSSL_VERSION_NUMBER >= 0x1000103fL) + + /* Setup an ec - default to X9.62/SECG curve over a 256 bit prime field */ + + ec = config_getstring(IMAPOPT_TLS_EC); + + int openssl_nid = OBJ_sn2nid(ec); + if (openssl_nid != 0) { + EC_KEY *ecdh; + ecdh = EC_KEY_new_by_curve_name(openssl_nid); + if (ecdh != NULL) { + SSL_CTX_set_tmp_ecdh(s_ctx, ecdh); + EC_KEY_free(ecdh); + } else { + syslog(LOG_NOTICE,"TLS server engine: unknown tls_ec specified"); + } + } else { + syslog(LOG_NOTICE,"TLS server engine: unknown tls_ec specified"); + } + +#endif + verify_depth = verifydepth; if (askcert!=0) verify_flags |= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; diff -pur ../cyrus-imapd-2.4.17/lib/imapoptions ./lib/imapoptions --- ../cyrus-imapd-2.4.17/lib/imapoptions 2014-10-16 02:28:24.662859234 +0200 +++ ./lib/imapoptions 2014-10-16 02:29:41.374856717 +0200 @@ -1408,6 +1408,10 @@ product version in the capabilities */ for later reuse. The maximum value is 1440 (24 hours), the default. A value of 0 will disable session caching. */ +{ "tls_ec", "prime256v1", STRING } +/* The default elliptical curve parameter. + For list of curves see: openssl ecparam -list_curves */ + { "umask", "077", STRING } /* The umask value used by various Cyrus IMAP programs. */