add 2048 bits of DH params for nginx, postfix, dovecot

nginx/postfix use a new pre-generated dh2048.pem file. dovecot generates the bits on its own. ssllabs.com reports that TLS_DHE ciphers went from 1024 to 2048 bits as expected. The ECDHE ciphers remain at 256 bits --- no idea what that really means. (This tests nginx only. I haven't tested postfix/dovecot.) see https://discourse.mailinabox.email/t/fips-ready-for-ssl-dhec-key-exchange/76/3
2026-03-15 17:37:22 +01:00 · 2014-09-26 22:01:38 +00:00
parent c2eb8e5330
commit 39bca053ed
5 changed files with 17 additions and 4 deletions
--- a/setup/ssl.sh
+++ b/setup/ssl.sh
@@ -43,3 +43,8 @@ if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
 	  -in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
 fi

+# For nginx and postfix, pre-generate some better DH bits. They seem to
+# each rely on openssl's default of 1024 bits.
+if [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
+	openssl dhparam -out $STORAGE_ROOT/ssl/dh2048.pem 2048
+fi