Diffie-Hellman parameters are required for forward secrecy
Bug description
"To use perfect forward secrecy cipher suites, you must set up Diffie-Hellman parameters (on the server side), or the PFS cipher suites will be silently ignored."
The code for loading DH parameters is missing in jingle_xtls.py
Steps to reproduce
During file transfer using Jingle XTLS, only the cipher AES256-GCM-SHA384 is used, this cipher doesn't support PFS. (Note: to get information about cipher used in SSL connection the PyOpenSSL has to be patched, pyOpenSSL Bug 1249293)
Fix
After this fix DHE-RSA-AES256-GCM-SHA384 will be used, this cipher supports PFS. The code tries to load user DH parameters from ~/.local/share/gajim/dh_params.pem, if this file doesn't exit (the user has not created his own DH parameters), the default application DH parameters will be loaded.
The default DH parameters can be downloaded from OpenSSL, please copy apps/dh4096.pem from OpenSSL to data/other/dh4096.pem so it's installed together with Gajim as default DH parameters.
More security
It's recommended for security cautions user to create his own DH parameters and not use the default DH parameters, using command
openssl dhparam 4096 -out ~/.local/share/gajim/dh_params.pem
This command takes about 15minutes to complete. The user can also create DH parameters with more bits, but this takes much longer. There is no interface in pyOpenSSL to create DH parameters.