$!-----------------------------------------------------------------'f$verify(0) $! CREATE_EPHEMERAL_DH_PARAM.COM $! $! Create DH param files required to support emphemeral DH keys. $! Ephemeral keys are required to support "forward secrecy". $! https://www.openssl.org/docs/apps/dhparam.html $! $! P1 optionally specifies the configuration file (defaults to DEFAULT.CNF) $! $! WASD VMS Web Services, Copyright (C) 1996-2015 Mark G.Daniel. $! This program comes with ABSOLUTELY NO WARRANTY. $! This is free software, and you are welcome to redistribute it under the $! conditions of the GNU GENERAL PUBLIC LICENSE, version 3, or later version. $! http://www.gnu.org/licenses/gpl.txt $! $! 18-JAN-2015 MGD initial $!----------------------------------------------------------------------------- $! $ if f$type(configFileName) .eqs. "" - then configFileName = f$edit(P1,"lowercase") $! $ certDir = "[.CERT]" $ workDir = "[.CERT.WORK]" $ if configFileName .eqs. "" then configFileName = "default.cnf" $ configFileName = configFileName - ".cnf" + ".cnf" $! $ say = "write sys$output" $! $ on error then goto serverError $ procedure = f$environment("procedure") - "000000." $ newDefault = f$parse(procedure,,,"device") + f$parse(procedure,,,"directory") $ prevDefault = f$environment("default") $ set default 'newDefault' $! $ @FIND_SSL $ @CREATE_SUPPORT_FILES $! $ type sys$input ******************************* * CREATE EPHEMERAL DH PARAM * ******************************* Using ephemeral DH key exchange facilitates forward secrecy. This procedure generates files containing "strong primes" that are used as input to enable ephemeral DH keys during SSL negotiation. One each of 512, 1024 and 2048 bit primes per file. These files must then be copied to WASD_ROOT:[LOCAL] with names unchanged. It is recommended emphemeral parameters be generated with each installation. Of course they can be refreshed at any time. Generating these primes MAY TAKE MANY MINUTES depending on the platform! $ read sys$command response /prompt="Continue? [N]: " $ say "" $ if .not. response then exit $! $ type sys$input ************************ * GENERATING 512 BIT * ************************ $ set noon $ define /user openssl_conf 'configFileName' $ openssl dhparam -out 'certDir'dh_param_512.pem 512 $ set on $! $ say "" $ type sys$input ************************* * GENERATING 1024 BIT * ************************* $ set noon $ define /user openssl_conf 'configFileName' $ openssl dhparam -out 'certDir'dh_param_1024.pem 1024 $ set on $! $ say "" $ type sys$input ************************* * GENERATING 2048 BIT * ************************* $ set noon $ define /user openssl_conf 'configFileName' $ openssl dhparam -out 'certDir'dh_param_2048.pem 2048 $ set on $! $ say "" $ type sys$input *********** * FILES * *********** $ directory = "directory" $ directory/date 'certDir'dh_param_*.pem;0 $! $ type sys$input Copy these files to WASD_ROOT:[LOCAL]? $ read sys$command response /prompt="Continue? [N]: " $ say "" $ if response $ then $ copy = "copy" $ copy/log 'certDir'dh_param_*.pem;0 wasd_root:[local]*.*;0 $ endif $! $ say "" $ type sys$input ********************* * C O M P L E T E * ********************* $! $ goto dhCleanup $! $ serverError: $!'f$verify(0) $ type sys$input *************** * E R R O R * *************** $! $ dhCleanup: $ set prot=w 'certDir'*.*;* $ set prot=w 'workDir'*.*;* $ if f$type(RANDFILE) .nes. "" then delete/symbol/global RANDFILE $! $ set default 'prevDefault' $! $!-----------------------------------------------------------------------------