use predefined DHE field groups

conf/dh4096.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----

setup/ssl.sh

@@ -90,9 +90,7 @@ if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
 	ln -s $CERT $STORAGE_ROOT/ssl/ssl_certificate.pem
 fi
 
-# Generate some Diffie-Hellman cipher bits.
+# We no longer generate Diffie-Hellman cipher bits. Following rfc7919 we use
-# openssl's default bit length for this is 1024 bits, but we'll create
+# a predefined finite field group, in this case ffdhe4096 from
-# 4096 bits of bits per the latest recommendations.
+# https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
-if [ ! -f $STORAGE_ROOT/ssl/dh4096.pem ]; then
+cp -f conf/dh4096.pem $STORAGE_ROOT/ssl/
-	openssl dhparam -out $STORAGE_ROOT/ssl/dh4096.pem 4096
-fi