OpenSSL: Default the SINGLE_DH_USE option flag set

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 44623a5502523e90e3594a25656be4e3290709a5..aa1e677127e23d1e16e19ef45602fdae047954d9 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15431,7 +15431,7 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)&
 transport driver.
 
 
-.option openssl_options main "string list" "+no_sslv2"
+.option openssl_options main "string list" "+no_sslv2 +single_dh_use"
 .cindex "OpenSSL "compatibility options"
 This option allows an administrator to adjust the SSL options applied
 by OpenSSL to connections.  It is given as a space-separated list of items,

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 52d4aeb56f506777acb1c0b47db01f9775d100b8..09437e40ed847a932e7ee449f4e78f277fe37561 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -144,6 +144,10 @@ JH/34 Bug 1192: replace the embedded copy of PolarSSL RSA routines in the DKIM
       support, by using OpenSSL or GnuTLS library ones.  This means DKIM is
       only supported when built with TLS support.
 
+JH/35 Require SINGLE_DH_USE by default in OpenSSL (main config option
+      openssl_options), for security.  OpenSSL forces this from version 1.1.0
+      server-side so match that on older versions.
+
 
 Exim version 4.86
 -----------------

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 9944a8f60db944eef640830e15ef247e72a922f7..3ecb6cb3ff28376891d0a1ea8c39e728c65ddfa1 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2751,6 +2751,9 @@ result = 0L;
 #ifdef SSL_OP_NO_SSLv2
 result |= SSL_OP_NO_SSLv2;
 #endif
+#ifdef SSL_OP_SINGLE_DH_USE
+result |= SSL_OP_SINGLE_DH_USE;
+#endif
 
 if (option_spec == NULL)
   {