--- include/dynconf.h	2012-10-17 09:05:38.000000000 -0400
+++ include/dynconf.h	2012-11-25 19:56:04.177820543 -0500
@@ -114,13 +114,14 @@
 	char *x_server_cert_pem;
 	char *x_server_key_pem;
 	char *x_server_cipher_list;
+	char *x_dh_pem;
 	char *trusted_ca_file;
 	long ssl_options;
 	int ssl_renegotiate_bytes;
 	int ssl_renegotiate_timeout;
 	
 #elif defined(_WIN32)
-	void *bogus1, *bogus2, *bogus3, *bogus5;
+	void *bogus1, *bogus2, *bogus3, *bogus5, *bogus8;
 	long bogus4;
 	int bogus6, bogus7;
 #endif
@@ -344,6 +345,7 @@
 	unsigned has_ssl_key:1;
 	unsigned has_ssl_trusted_ca_file:1;
 	unsigned has_ssl_options:1;
+	unsigned has_ssl_dh:1;
 	unsigned has_renegotiate_timeout : 1;
 	unsigned has_renegotiate_bytes : 1;
 #endif
--- src/s_conf.c	2012-10-17 09:05:38.000000000 -0400
+++ src/s_conf.c	2012-11-25 19:56:54.433158455 -0500
@@ -7729,6 +7729,10 @@
 				{
 					ircstrdup(tempiConf.x_server_cipher_list, cepp->ce_vardata);
 				}
+				else if (!strcmp(cepp->ce_varname, "dh"))
+				{
+					ircstrdup(tempiConf.x_dh_pem, cepp->ce_vardata);
+				}
 				else if (!strcmp(cepp->ce_varname, "certificate"))
 				{
 					ircstrdup(tempiConf.x_server_cert_pem, cepp->ce_vardata);	
@@ -8694,6 +8698,11 @@
 					CheckNull(cepp);
 					CheckDuplicate(cep, ssl_certificate, "ssl::certificate");
 				}
+				else if (!strcmp(cepp->ce_varname, "dh"))
+				{
+					CheckNull(cepp);
+					CheckDuplicate(cep, ssl_dh, "ssl::dh");
+				}
 				else if (!strcmp(cepp->ce_varname, "key"))
 				{
 					CheckNull(cepp);
--- src/ssl.c	2012-10-17 09:05:38.000000000 -0400
+++ src/ssl.c	2012-11-25 19:56:14.290475555 -0500
@@ -193,6 +193,8 @@
 {
 SSL_CTX *ctx_server;
 
+	FILE* dhpfile = NULL;
+	DH* ret;
 	ctx_server = SSL_CTX_new(SSLv23_server_method());
 	if (!ctx_server)
 	{
@@ -204,7 +206,22 @@
 	SSL_CTX_set_verify(ctx_server, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE
 			| (iConf.ssl_options & SSLFLAG_FAILIFNOCERT ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), ssl_verify_callback);
 	SSL_CTX_set_session_cache_mode(ctx_server, SSL_SESS_CACHE_OFF);
-
+	
+	if (iConf.x_dh_pem != NULL && ((dhpfile = fopen(iConf.x_dh_pem, "r")) == NULL))
+	{
+	    mylog("Failed to load DH parameters %s", iConf.x_dh_pem);
+	    goto fail;
+	}
+	if (dhpfile != NULL)
+	{
+    	    ret = PEM_read_DHparams(dhpfile, NULL, NULL, NULL);
+	    fclose(dhpfile);
+	    if (SSL_CTX_set_tmp_dh(ctx_server, ret) < 0)
+	    {
+	      mylog("Failed to use DH parameters %s", iConf.x_dh_pem);
+	      goto fail;
+            }
+	}
 	if (SSL_CTX_use_certificate_chain_file(ctx_server, SSL_SERVER_CERT_PEM) <= 0)
 	{
 		mylog("Failed to load SSL certificate %s", SSL_SERVER_CERT_PEM);
@@ -247,6 +264,8 @@
 SSL_CTX *init_ctx_client(void)
 {
 SSL_CTX *ctx_client;
+	FILE* dhpfile = NULL;
+	DH* ret;
 
 	ctx_client = SSL_CTX_new(SSLv3_client_method());
 	if (!ctx_client)
@@ -256,6 +275,21 @@
 	}
 	SSL_CTX_set_default_passwd_cb(ctx_client, ssl_pem_passwd_cb);
 	SSL_CTX_set_session_cache_mode(ctx_client, SSL_SESS_CACHE_OFF);
+	if (iConf.x_dh_pem != NULL && ((dhpfile = fopen(iConf.x_dh_pem, "r")) == NULL))
+	{
+	    mylog("Failed to load DH parameters %s", iConf.x_dh_pem);
+	    goto fail;
+	}
+	if (dhpfile != NULL)
+	{
+  	    ret = PEM_read_DHparams(dhpfile, NULL, NULL, NULL);
+	    fclose(dhpfile);
+	    if (SSL_CTX_set_tmp_dh(ctx_client, ret) < 0)
+	    {
+	      mylog("Failed to use DH parameters %s", iConf.x_dh_pem);
+	      goto fail;
+            }
+	}
 	if (SSL_CTX_use_certificate_file(ctx_client, SSL_SERVER_CERT_PEM, SSL_FILETYPE_PEM) <= 0)
 	{
 		mylog("Failed to load SSL certificate %s (client)", SSL_SERVER_CERT_PEM);