Update DH parameter configuration scripts.

* libs/tcpd/libcouriergnutls.c, libs/tcpd/libcouriertls.c: remove the
TLS_DHCERTFILE setting, and use TLS_CERTFILE for all functionality.
Read DH parameters from TLS_CERTFILE, or from the new TLS_DHPARAMS
environment variable.

* mkdhparams: New script that generates DH parameters into a standalone
file.

* Remove TLS_DHCERTFILE setting from imapd-ssl, pop3d-ssl, esmtpd and
esmtpd-ssl. Add TLS_DHPARAMS.

* Update imapd.cnf.openssl, pop3d.cnf.openssl, esmtpd.cnf.openssl,
set default number of bits for RSA keys to 4096.

1 files changed, 44 insertions, 0 deletions

diff --git a/imap/mkdhparams.in b/imap/mkdhparams.in
new file mode 100644
index 0000000..f5bddfa
--- /dev/null
+++ b/imap/mkdhparams.in
@@ -0,0 +1,44 @@
+#! @SHELL@
+#
+# Copyright 2013 Double Precision, Inc.  See COPYING for
+# distribution information.
+#
+# Run this script monthly to generate DH parameters.
+
+if test -f @certsdir@/dhparams.pem
+then
+    if test "`find @certsdir@/dhparams.pem -mtime +25 -print `" = ""
+    then
+	# Less than 25 days old
+	exit 0
+    fi
+fi
+
+set -e
+
+cp /dev/null @certsdir@/dhparams.pem.tmp
+chmod 600 @certsdir@/dhparams.pem.tmp
+chown @mailuser@ @certsdir@/dhparams.pem.tmp
+
+BITS="$DH_BITS"
+if test "@ssllib@" = "openssl"
+then
+    if test "$BITS" = ""
+    then
+	BITS=768
+    fi
+
+    dd if=@RANDOMV@ of=@certsdir@/dhparams.rand.tmp count=1 2>/dev/null
+    @OPENSSL@ dhparam -rand @certsdir@/dhparams.rand.tmp -outform PEM $BITS >@certsdir@/dhparams.pem.tmp
+    rm -f @certsdir@/dhparams.rand.tmp
+    mv -f @certsdir@/dhparams.pem.tmp @certsdir@/dhparams.pem
+else
+    if test "$BITS" = ""
+    then
+	BITS=high
+    fi
+
+    @CERTTOOL@ --generate-dh-params --sec-param $BITS >@certsdir@/dhparams.pem.tmp
+    mv -f @certsdir@/dhparams.pem.tmp @certsdir@/dhparams.pem
+fi
+