From 1f3515821151d271d4af56efac33995a81c80991 Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Sun, 1 Aug 2021 23:09:59 +0200 Subject: [PATCH] use predefined DHE field groups --- conf/dh4096.pem | 13 +++++++++++++ setup/ssl.sh | 10 ++++------ 2 files changed, 17 insertions(+), 6 deletions(-) create mode 100644 conf/dh4096.pem diff --git a/conf/dh4096.pem b/conf/dh4096.pem new file mode 100644 index 00000000..3cf0fcbc --- /dev/null +++ b/conf/dh4096.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- diff --git a/setup/ssl.sh b/setup/ssl.sh index 5c36d789..d4ec6d7f 100755 --- a/setup/ssl.sh +++ b/setup/ssl.sh @@ -90,9 +90,7 @@ if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then ln -s $CERT $STORAGE_ROOT/ssl/ssl_certificate.pem fi -# Generate some Diffie-Hellman cipher bits. -# openssl's default bit length for this is 1024 bits, but we'll create -# 4096 bits of bits per the latest recommendations. -if [ ! -f $STORAGE_ROOT/ssl/dh4096.pem ]; then - openssl dhparam -out $STORAGE_ROOT/ssl/dh4096.pem 4096 -fi +# We no longer generate Diffie-Hellman cipher bits. Following rfc7919 we use +# a predefined finite field group, in this case ffdhe4096 from +# https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem +cp -f conf/dh4096.pem $STORAGE_ROOT/ssl/