* Tue Mar 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme

- handle dhparams [SME: 12963]
2025-03-18 00:39:18 -04:00
parent 7fe3a22ad3
commit a545dc6458
4 changed files with 25 additions and 6 deletions
--- a/root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
@@ -18,29 +18,35 @@

        my $chain_file = $modSSL{CertificateChainFile} ||
        "# no chain cert";
-	$chain_file = "# no chain cert" unless -e $chain_file;
-        
+        $chain_file = "# no chain cert" unless -e $chain_file;
        $chain_file = ( $chain_file eq "# no chain cert" )? $chain_file  : "TLSCertificateChainFile $chain_file";
+
+        #/home/e-smith/dh.pem/4096.pem
+        my $ftpdhparam = "#no dh param";
+        $ftpdhparam = "SFTPDHParamFile            /home/e-smith/dh.pem/2048.pem" if (dh_exists_good_size("2048","/home/e-smith/dh.pem/2048.pem"));
+        $ftpdhparam = "SFTPDHParamFile            /home/e-smith/dh.pem/4096.pem" if (dh_exists_good_size("4096","/home/e-smith/dh.pem/4096.pem"));
+
        my $ciphers = $ftp{CipherSuite} || $modSSL{CipherSuite} || $smeCiphers;
        #SME11 proftpd 1.3.6 branch does not support TLS v1.3
        $smeSSLprotocol =~ s/TLSv1.3//;
        # NoSessionReuseRequired is required with newer clients and TLS to be bale to list folder
-    	$OUT .= <<SSL_END;
+        $OUT .= <<SSL_END;

 <IfModule mod_tls.c>
 TLSEngine                  on
 TLSLog                     /var/log/proftpd/tls.log
 TLSProtocol                $smeSSLprotocol
-TLSCipherSuite						 $ciphers
+TLSCipherSuite             $ciphers
 TLSOptions                 NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
 TLSRSACertificateFile      $crt
 TLSRSACertificateKeyFile   $key
 $chain_file
+$ftpdhparam
 TLSVerifyClient            $tlsclient
 TLSRequired                $tlsrequired
 </IfModule>
 SSL_END

-	}
+  }
 }