New option -dhparam to s_server to allow the DH parameter file to be set
explicitly. Previously it couldn't be changed because it was hard coded as
"server.pem".
diff --git a/CHANGES b/CHANGES
index 4e9fef4..8ee6b2e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
+ *) New option -dhparam in s_server. This allows a DH parameter file to be
+ stated explicitly. If it is not stated then it tries the first server
+ certificate file. The previous behaviour hard coded the filename
+ "server.pem".
+ [Steve Henson]
+
*) Add -pubin and -pubout options to the rsa and dsa commands. These allow
a public key to be input or output. For example:
openssl rsa -in key.pem -pubout -out pubkey.pem
diff --git a/apps/s_server.c b/apps/s_server.c
index da0f2ff..ca22b2f 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -108,7 +108,7 @@
static int init_ssl_connection(SSL *s);
static void print_stats(BIO *bp,SSL_CTX *ctx);
#ifndef NO_DH
-static DH *load_dh_param(void );
+static DH *load_dh_param(char *dhfile);
static DH *get_dh512(void);
#endif
#ifdef MONOLITH
@@ -160,8 +160,6 @@
#undef PROG
#define PROG s_server_main
-#define DH_PARAM "server.pem"
-
extern int verify_depth;
static char *cipher=NULL;
@@ -217,10 +215,12 @@
BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n");
BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
BIO_printf(bio_err," (default is %s)\n",TEST_CERT);
- BIO_printf(bio_err," -key arg - RSA file to use, PEM format assumed, in cert file if\n");
+ BIO_printf(bio_err," -key arg - Private Key file to use, PEM format assumed, in cert file if\n");
BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT);
BIO_printf(bio_err," -dcert arg - second certificate file to use (usually for DSA)\n");
BIO_printf(bio_err," -dkey arg - second private key file to use (usually for DSA)\n");
+ BIO_printf(bio_err," -dhparam arg - DH parameter file to use, in cert file if not specified\n");
+ BIO_printf(bio_err," or a default set of parameters is used\n");
#ifdef FIONBIO
BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
#endif
@@ -406,6 +406,7 @@
short port=PORT;
char *CApath=NULL,*CAfile=NULL;
char *context = NULL;
+ char *dhfile = NULL;
int badop=0,bugs=0;
int ret=1;
int off=0;
@@ -483,6 +484,11 @@
if (--argc < 1) goto bad;
s_key_file= *(++argv);
}
+ else if (strcmp(*argv,"-dhparam") == 0)
+ {
+ if (--argc < 1) goto bad;
+ dhfile = *(++argv);
+ }
else if (strcmp(*argv,"-dcert") == 0)
{
if (--argc < 1) goto bad;
@@ -643,8 +649,7 @@
#ifndef NO_DH
if (!no_dhe)
{
- /* EAY EAY EAY evil hack */
- dh=load_dh_param();
+ dh=load_dh_param(dhfile ? dhfile : s_cert_file);
if (dh != NULL)
{
BIO_printf(bio_s_out,"Setting temp DH parameters\n");
@@ -1076,12 +1081,12 @@
}
#ifndef NO_DH
-static DH *load_dh_param(void)
+static DH *load_dh_param(char *dhfile)
{
DH *ret=NULL;
BIO *bio;
- if ((bio=BIO_new_file(DH_PARAM,"r")) == NULL)
+ if ((bio=BIO_new_file(dhfile,"r")) == NULL)
goto err;
ret=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
err:
