From 9205812071bcd7bcf098efd80b82ec2bc1a62da4 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 8 Feb 2016 15:52:25 +0100
Subject: Add server support for DHE ciphers

Similar patch was provided by Vitezslav Cizek <vcizek@suse.com>

Heavily modified by Rob Crittenden <rcritten@redhat.com>

https://fedorahosted.org/mod_nss/ticket/15
---
 nss_engine_init.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'nss_engine_init.c')

diff --git a/nss_engine_init.c b/nss_engine_init.c
index 4460f53..44b5b88 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -829,6 +829,17 @@ static void nss_init_ctx_protocol(server_rec *s,
         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
         nss_die();
     }
+#ifdef ENABLE_SERVER_DHE
+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+        "Enabling DHE key exchange");
+    if (SSL_OptionSet(mctx->model, SSL_ENABLE_SERVER_DHE,
+        PR_TRUE) != SECSuccess) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                "Unable to enable DHE key exchange");
+        nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
+        nss_die();
+    }
+#endif
 }
 
 static void nss_init_ctx_session_cache(server_rec *s,
@@ -1043,6 +1054,10 @@ static void nss_init_ctx_cipher_suite(server_rec *s,
 
     /* Finally actually enable the selected ciphers */
     for (i=0; i<ciphernum;i++) {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+            "%sable cipher: %s",
+            cipher_state[i] == 1 ? "En" : "Dis",
+            ciphers_def[i].name);
         SSL_CipherPrefSet(mctx->model, ciphers_def[i].num, cipher_state[i] == 1 ? PR_TRUE : PR_FALSE);
     }
 }
-- 
cgit